Inactive sessions are not invalidated within a reasonable amount of time

From external security tests, gitlab-ce#36121

• Likelihood: Low
• Impact: Medium

Confirmation & Substantiation:

After over 60 minutes of inactivity, a session was still valid.

Risk:

Attackers are given more opportunity than necessary to try to exploit a session.

Recommendation:

MG recommendation: Invalidate sessions after thirty minutes of inactivity or less. For sensitive applications, fifteen minutes or less is recommended.

@briann recommendation: rotate session IDs automatically