Whenever a new session is created, it is assigned a maximum lifetime. This
lifetime is specified by storing the creation time of the session and the
timeout value valid at this time. If the actual time is later than creation
time plus timeout, the session is not reused.
Due to this realization, all sessions behave according to the timeout value
valid at the time of the session negotiation. Changes of the timeout value
do not affect already established sessions.
The expiration time of a single session can be modified using the
SSL_SESSION_get_time(3) family of functions.
Expired sessions are removed from the internal session cache, whenever
SSL_CTX_flush_sessions(3) is called, either
directly by the application or automatically (see
The default value for session timeout is decided on a per protocol
basis, see SSL_get_default_timeout(3).
All currently supported protocols have the same default timeout value
of 300 seconds.