Handling Session Timeout

Session timeout considerations when using the Commerce API

Session timeout occurs when a user does not perform any action on a website during an interval (defined by a web server). The event, on the server-side, changes the status of the user session to ‘invalid’ (ie. “not used anymore”) and instructs the webserver to destroy it (deleting all data contained in it). Session timeouts should be managed explicitly and intentionally, due to the security implications they can present when left unmanaged.

The OWASP® Foundation makes the following recommendations on security and best practices related to managing session timeouts:

  • Set session timeout to the minimal value possible depending on the context of the application.
  • Avoid “infinite” session timeout.
  • Prefer declarative definition of the session timeout in order to apply a global timeout for all application sessions.
  • Trace session creation/destruction in order to analyze the creation trend and try to detect a normal number of session creations (application profiling phase in an attack).


The OWASP® Foundation

The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

Managing Session with Commerce API

The Progressive Leasing checkout experience imposes a session timeout of 30 minutes. After this timeout occurs in a progressive-controlled screen/User Experience, our system will raise an event indicating a timeout has occurred. This eventing approach and details on the message that is raised, along with a recommended approach for configuring your application to receive these messages, is described in the Contract Event Messaging section.