ASP.NET - why default SecurityStamp validation interval is set to 30 minutes?

Question

I'm currently studying authentication mechanisms in ASP.NET Core and came across SecurityStamp feature, which is known also from ASP.NET Standard. From what I understand from the answer here, this was added to perform sign out from all active sessions when something is modified in account configuration (e.g. password).

This could be useful when password is compromised and the attacker's session should be invalidated. However, if this was the purpose, why the default value of validation interval is set to 30 minutes? Such setting makes the whole mechanism work with up to 30 minutes delay. Shouldn't this be a smaller value (let's say 1 minute) to make it more effective?

Answer 1

It's to improve performance on larger scale applications.

Each SecurityStamp validation requires a database hit. With the validation interval set to zero, this would cause a database hit for every request. At 30 minutes, this keeps the window for abuse fairly low while drastically reducing the number of queries required.

As a worked example, a system with 10,000 concurrent users each making just 5 requests per minute would require 50,000 validation hits per minute when the interval is zero. Changing that interval to 1 minute reduces that to 10,000 hits per minute. Leaving the interval at the default of 30 minutes drops the rate to just 333 queries per minute, which is unlikely to be a cause of performance issues in any application at any scale, hence why it's the default. You can imagine that a short validation interval on an Ajax-heavy design making 10-20 web calls per page load and a few ongoing repeated queries might cause problems at scale.

You can tune this interval down to a minute or so if you are not expecting a large number of users.