User Session — IDM / IAM / IGA Glossary

Definition

Temporal context maintained between authentication and logout — represents a user's authenticated state across multiple requests. Implemented via session cookies, JWT tokens, OAuth access tokens, or platform-native session objects. Modern best practices: short-lived sessions with silent refresh, server-side session state for revocation, continuous evaluation of session validity.

Application: Standards: OAuth 2.0 token lifetimes, OIDC session management spec, Continuous Access Evaluation Protocol (CAEP) for real-time session events. Session termination triggers: explicit logout, idle timeout, absolute timeout, risk event (CAEP signal).

Standards & regulations

NIST SP 800-63-3 «A session begins with an authentication event and ends with a session termination event. A session is bound by use of a session secret that the subscriber’s system uses to prove possession of an authe»
NIST SP 800-63B «The continuity of authenticated sessions SHALL be based on the possession of a session secret that is issued by the session host at the time of authentication, as part of an authentication ceremony ti»
OASIS SAML 2.0 Session Token Profile Version 1.0 «Web Servers and Application Servers generally maintain security state information for currently active users, particularly once some type of authentication has occurred. This specification defines a f»

Sources

NIST SP 800-63 Digital Identity Guidelines (NIST) primary source

Related terms

← Back to glossary · Open in main list