Once authenticated the user is issued a cookie with the session id. On page requests the cookie is checked, however the cookie persists for the duration that the browser is open or until the user manually logs out.
There should be a temporal component to the session to allow it to automatically time out after a period of time and force the user to re-authenticate.
Once authenticated the user is issued a cookie with the session id. On page requests the cookie is checked, however the cookie persists for the duration that the browser is open or until the user manually logs out.
There should be a temporal component to the session to allow it to automatically time out after a period of time and force the user to re-authenticate.