* Expires after 60 minutes * Either an encrypted value or a session link in a database * Might need to switch to a JDBC session store * Need to get an email service