#auth #best-practice #development #reading-list
🔗 Short session expiration does not help security
When logged into a web application, the session does not remain valid forever. Typically, the session expires after a fixed time after login, or after the user has been idle for some time. How long should these times be?
In some web applications, sessions expire. You are logged out after a while and need to authenticate again. Current security advice is to use quite short session timeouts, such as after 15 minutes of inactivity. However, most mobile apps and big web applications such as Gmail or GitHub don't adhere to this. You can be logged in seemingly forever without authenticating again. Are these insecure? Do Google and Microsoft know better than NIST and OWASP?
⚠️ This post links to an external website. ⚠️
If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe use the RSS feed.