top | item 44263503

(no title)

Wouldn't frequent reauth be beneficial for stolen sessions?

E.g. If you set your session timeouts to a ~1 day then by the time your session cookies are up for sale on the dark web, they will be expired.

The article doesn't mention this and it's the main reason I advocate for auth sessions that are as short as practical.

discuss

If your session cookies were stolen, they can be stolen again and again too? Timeouts of 1 day assumes the cookies can only be stolen once.

[deleted]