Comment by nathansherburn
2 days ago
Wouldn't frequent reauth be beneficial for stolen sessions?
E.g. If you set your session timeouts to a ~1 day then by the time your session cookies are up for sale on the dark web, they will be expired.
The article doesn't mention this and it's the main reason I advocate for auth sessions that are as short as practical.
If your session cookies were stolen, they can be stolen again and again too? Timeouts of 1 day assumes the cookies can only be stolen once.
[dead]