Session Management
securityFull Name: User Session Management
Definition
Session Management encompasses the complete lifecycle of controlling, securing, and terminating user sessions within a software application or across a distributed system. It includes session creation upon successful authentication, maintenance of session state during user interaction, enforcement of security policies such as timeouts and re-authentication requirements, and secure session destruction when the session ends. In the EUDI Wallet ecosystem, session management is critical at three distinct levels: the wallet application session that governs how long the user remains authenticated to their wallet after biometric verification, the ephemeral credential presentation session that secures the communication channel between wallet and verifier during a credential exchange, and the relying party session that a service grants to a user after successfully verifying their EUDI Wallet credentials. Each level has distinct security requirements, timeout policies, and threat models that must be carefully addressed to prevent session hijacking, session fixation, session replay, and unauthorized access through expired or abandoned sessions.
Wallet Application Session Management
The EUDI Wallet application session begins when the user successfully authenticates using biometrics (fingerprint or face recognition) or a PIN/password. Upon authentication, the secure enclave grants the wallet application a time-limited authorization to perform cryptographic operations such as signing credential presentations. This authorization is not a token in the traditional web session sense but rather an operating system-level permission grant tied to the biometric authentication event.
The wallet session enforces configurable inactivity timeouts that lock the wallet after a period of no user interaction, typically 2 to 5 minutes for standard operations. High-security operations (such as presenting credentials to government services or signing legal documents) may require shorter timeouts or immediate re-authentication regardless of session status. The session is also immediately terminated when the device is locked, when the app is moved to the background, or when the device detects potentially suspicious activity (such as a debugger attachment or jailbreak detection).
Memory management during the wallet session is particularly important. Sensitive data such as decrypted credential attributes, presentation history, and intermediate cryptographic values are held in memory only during the active session and are securely overwritten (using platform-specific secure memory wipe APIs) when the session terminates. This prevents memory forensics attacks from recovering sensitive wallet data from a device that has been locked or the wallet that has timed out.
Credential Presentation Session Security
Each credential presentation creates a fresh, ephemeral session between the wallet and the verifier. In the ISO 18013-5 proximity flow (used for face-to-face verifications like mobile driving licenses), this session begins with device engagement, where the wallet and verifier exchange ephemeral public keys through a QR code or NFC tap. These keys are used to derive session encryption keys via ECDH (Elliptic Curve Diffie-Hellman), creating a unique encrypted channel for the single transaction.
The presentation session has a very short lifetime, typically measured in seconds. The session is bound to a specific verifier request (identified by a nonce), a specific set of requested attributes, and a specific communication channel. Once the credential data has been transferred and the verifier has confirmed receipt, the session is destroyed. The ephemeral keys are overwritten, the session state is cleared, and no trace of the specific interaction remains in the wallet's volatile memory. This stateless approach minimizes the attack surface and ensures that a compromise of one session cannot affect any other session.
For online credential presentations (via OpenID4VP), the session is established through standard HTTPS with additional application-level encryption. The wallet creates a response to the verifier's authorization request, signs it with the device-bound key, and transmits it over the encrypted channel. The session ends when the verifier acknowledges receipt. The stateless nature of the OpenID4VP protocol means no persistent session state is maintained between the wallet and verifier after the presentation completes.
Relying Party Session After EUDI Wallet Verification
After successfully verifying a user's EUDI Wallet credentials, a relying party (such as a government website or online service) typically creates an authenticated session for the user, similar to a traditional login session. The relying party issues a session token (usually a secure HTTP cookie or JWT) that maintains the user's authenticated state during their interaction with the service. The management of this session is the relying party's responsibility, not the wallet's.
The EUDI Wallet Architecture Reference Framework provides guidelines for relying parties regarding session management after wallet-based authentication. Session tokens should be cryptographically random, transmitted only over HTTPS, and stored securely. Session lifetimes should be appropriate to the sensitivity of the service (shorter for banking, longer for informational services). Re-authentication using the EUDI Wallet should be required for sensitive operations within the session, such as changing account settings or authorizing payments.
A key consideration is that the relying party session should not outlive the assurance level of the original wallet-based authentication. If the wallet presentation included real-time device-binding proof (proving the user had their device at the moment of authentication), the relying party session should not extend that assurance indefinitely. For services requiring continuous assurance, the relying party can request periodic re-authentication through the wallet, ensuring that the session remains bound to the physical presence and consent of the authenticated user.