OWASP's best practises for session management Ensure that the session inactivity timeout is as low as feasible; it is advised that the session activity timeout is no more than a few hours. When a user re-authenticates or creates a new browser session, generate a new session identifier.
Share a personalized message with your friends.