How does it handle session timeouts?

It advocates for short-lived access tokens combined with refresh token rotation to balance user experience with a reduced window of compromise.

How does this skill help with OWASP compliance?

This skill implements session management patterns grounded in the OWASP Session Management Cheat Sheet, covering token entropy, secure cookie attributes, and rigorous invalidation policies.

Does this work for both web applications and mobile APIs?

Yes, it provides specific guidance for both HTTPOnly cookies (optimized for browsers) and Bearer tokens/JWTs (optimized for APIs and mobile applications).

Can it help prevent Session Hijacking?

Yes, it enforces high-entropy tokens, HTTPS-only cookies, and session ID regeneration upon login or privilege change to minimize hijacking risks.

What signing algorithms are recommended for JWTs?

The skill advises using asymmetric signing algorithms like RS256 or ES256 to ensure that even if a public key is exposed, tokens cannot be forged by unauthorized parties.

Session Management Security

Name: Session Management Security
Author: sethdford

bysethdford

•

セキュリティとテスト

Implements robust, industry-standard session handling protocols to prevent hijacking, fixation, and unauthorized access.

This skill provides senior-level guidance for architecting secure session management systems, bridging the gap between stateless HTTP and persistent authentication. It offers prescriptive implementation patterns for both web-based cookies and API-based tokens, ensuring high-entropy token generation, proactive session invalidation, and protection against common vulnerabilities like CSRF and session hijacking. Grounded in OWASP and NIST standards, it helps developers navigate the complexities of token storage, expiry, and rotation while avoiding common security anti-patterns.

主な機能

01Cryptographically secure token generation with 256-bit entropy

02Secure JWT implementation using asymmetric signing (RS256/ES256)

039 GitHub stars

04Session fixation prevention through ID regeneration and privilege escalation checks

05Hardened cookie configurations including HttpOnly, Secure, and SameSite attributes

06Comprehensive session invalidation strategies for logout and security events

ユースケース

01Refactoring API token management to use rotating refresh tokens

02Hardening existing session cookie policies to meet OWASP security standards

03Designing a secure authentication flow for a production web application

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add sethdford/claude-skills session-management

For use in Claude.ai and ChatGPT

主な機能

01Cryptographically secure token generation with 256-bit entropy

02Secure JWT implementation using asymmetric signing (RS256/ES256)

039 GitHub stars

04Session fixation prevention through ID regeneration and privilege escalation checks

05Hardened cookie configurations including HttpOnly, Secure, and SameSite attributes

06Comprehensive session invalidation strategies for logout and security events

ユースケース

01Refactoring API token management to use rotating refresh tokens

02Hardening existing session cookie policies to meet OWASP security standards

03Designing a secure authentication flow for a production web application

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add sethdford/claude-skills session-management

For use in Claude.ai and ChatGPT