#auth #best-practice #development #reading-list

🔗 Short session expiration does not help security

When logged into a web application, the session does not remain valid forever. Typically, the session expires after a fixed time after login, or after the user has been idle for some time. How long should these times be?

In some web applications, sessions expire. You are logged out after a while and need to authenticate again. Current security advice is to use quite short session timeouts, such as after 15 minutes of inactivity. However, most mobile apps and big web applications such as Gmail or GitHub don't adhere to this. You can be logged in seemingly forever without authenticating again. Are these insecure? Do Google and Microsoft know better than NIST and OWASP?

continue reading on sjoerdlangkemper.nl

⚠️ This post links to an external website. ⚠️