A critical aspect related to web application development is that it should be built in a way that it gets an ability to manage active sessions well. Here are a few ways to achieve it:

• Web applications need to have a method to establish sessions keeping track of a user’s requests and account logout. If your application has a logout button or link on every page, the users will be allowed to log out easily. Also, those who have not logged in for a while should be locked out until they reregister.
   
• Timeout settings: These can be based on how users are likely to interact with web applications as well as how sensitive the data is.

• If you don’t want browsers to cache your content, you can do so by setting the cache-control directives in the server response headers (set it to no-store). There are some limitations for this, however. Unfortunately, no-cache and no-store are not supported by HTTP 1.0 caches (they are HTTP 1.1 headers). Moreover, non-HTML content is often cached even when the above tags are set. Another concerning factor is that some browsers are able to store user-supplied form data, often insecurely. If any of your Web Forms collect sensitive data, add the attribute AUTOCOMPLETE=FALSE. This warns the browser not to store the data (it’s not a part of HTML specification, however). If you consider your application high-risk, you can ask the user on a shared PC to clear the browser's cache and history.

• If you want to ensure that session replay attacks don’t occur after idle timeout or user logoff, it is critical that you clear the server-side session state, destroy the session on the server, and overwrite any session cookies on the browser when the user logs out or the session expires. Also, URL should not include session IDs because they can be seen by shoulder surfers, cached by the browser, and stored in the referrer logs of other sites. Ideally, a user's entire session should be SSL-protected to prevent session ID exposure through network interception. Session IDs that are long, complicated, random numbers and expire and regenerate prior to any significant transaction, or after a certain number of requests or period of time, especially when switching to SSL, reduce the risk from session-hijacking and brute-force attacks.

Make sure that you document the goals of managing software application sessions and the mechanisms implemented to achieve them in your security policy to avoid any future complications.