Use when requests involve secure sessions, cookie settings, JWT versus database sessions, logout behavior, session hijacking risk, or making authenticated state safer and more auditable. Design and harden session security for web applications: cookie strategy, token lifetime, rotation, fixation defenses, invalidation, idle and absolute timeouts, logout semantics, and cross-device session governance.
