Comment by nathansherburn

Comment by nathansherburn 6 months ago

2 replies

View on Hacker News

Wouldn't frequent reauth be beneficial for stolen sessions?

E.g. If you set your session timeouts to a ~1 day then by the time your session cookies are up for sale on the dark web, they will be expired.

The article doesn't mention this and it's the main reason I advocate for auth sessions that are as short as practical.

throw14082020 6 months ago

If your session cookies were stolen, they can be stolen again and again too? Timeouts of 1 day assumes the cookies can only be stolen once.

Reply View 1 reply