Session Security Agent Skill
Session security — HttpOnly cookies, session rotation, idle timeouts, anti-fixation.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Session security — HttpOnly cookies, session rotation, idle timeouts, anti-fixation.
homepage: https://yepapi.com/skills/session-security
metadata:
tags: [security, sessions, cookies, authentication]
---
# Session Security
## Rules
- Set cookies with \`HttpOnly\`, \`Secure\`, \`SameSite=Lax\`, and \`Path=/\` — every time, no exceptions
- Rotate session ID on login to prevent session fixation attacks
- Idle timeout: 30 minutes of inactivity invalidates the session server-side
- Absolute timeout: 24 hours max session lifetime regardless of activity
- Store sessions server-side (Redis, database) — the cookie holds only the session ID
- Fingerprint sessions with IP + User-Agent hash — invalidate on mismatch
- Generate session IDs with \`crypto.randomBytes(32)\` — never sequential or predictable
\`\`\`ts
// Secure cookie settings
const sessionCookie = {
httpOnly: true,
secure: process.env.NODE_ENV === "production",
sameSite: "lax" as const,
path: "/",
maxAge: 24 * 60 * 60, // 24h absolute timeout
};
\`\`\`
\`\`\`ts
// Rotate session on login
async function loginUser(req, user) {
req.session.destroy(); // destroy old session
const newSession = await createSession({
userId: user.id,
fingerprint: hashFingerprint(req.ip, req.headers["user-agent"]),
createdAt: Date.now(),
lastActive: Date.now(),
});
return newSession.id;
}
\`\`\`
## Avoid
- Storing session tokens in localStorage — XSS can steal them instantly
- Cookies without \`HttpOnly\` — JavaScript can read and exfiltrate the session
- Sessions that never expire — stolen session = permanent access
- Keeping the same session ID after login — session fixation attack
- Trusting client-side session data (JWTs with mutable claims stored client-side without server validation)Install
Why Use the Session Security Skill?
Without this skill, your AI guesses at session security patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Session Security skill installed. Your AI knows the context and writes code that fits.
"Implement secure session management with HttpOnly cookies and session rotation on login"
"Add idle timeout and absolute timeout to my session handling"
"Create a session fingerprinting system that detects hijacking attempts"
Works Great With
Session Security skill — FAQ
It provides rules for secure cookie configuration, session rotation on login, idle and absolute timeouts, and fingerprinting to prevent session fixation and hijacking. Your AI writes session management code that follows security best practices.
Run `npx skills add YepAPI/skills --skill session-security` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Session fixation attacks trick users into authenticating with an attacker-controlled session ID. By rotating the session ID on login, the old session is destroyed and the attacker loses access.