6

Sessions expire differently on different places on the web:

  • StackOverflow: never expires
  • Twitter: never expires
  • Facebook: never expires
  • Stripe: expires after like 30 min or an hour or so
  • Some bank websites: expire after 15 minutes of inactivity
  • Other websites expire after 5 minutes no matter what

Latest practices say to keep requests session-less and to use a JWT that auto-refreshes every 15 minutes or on a new request, using a refresh token. The reason for this is you can blacklist a token quickly if it gets in the wrong hands, and it won't be usable for more than 15 minutes, keeping the attack duration minimal.

The problem is that you don't want to logout a user every 15 minutes, it's a bad UX. StackOverflow and Twitter are great because you're always logged in.

The confusing part is why StackOverflow/Twitter don't do this. It seems like a security risk if you follow along the session-less 15-minute expiration path, or perhaps they are doing something to mitigate the risk.

Lance
  • 588
  • 5
  • 16

1 Answers1

3

First up, consider the audience. Obviously the breach of a bank account is going to be more disastrous than stack overflow. It needs to be tailored to the level of data you're processing.

Second up - I'm assuming because you say never expires, you mean the cookie never expires. This by itself isn't a good indicator. Session IDs and such can be regenerated periodically. Actual Session expiry by itself shouldn't be relied upon. PHP for example has a ridiculously complex system of invalidating sessions - More details can be found here: https://solutionfactor.net/blog/2014/02/08/implementing-session-timeout-with-php/

When considering inconvenience, you have to consider security impact in real terms. I hate my bank, it's forever timing out before i'm done.... but due to the content, that's a consideration that needs to be made. If stackoverflow had my session time out half way through a reply i'd never use it again! (yes, i did only register tonight) But stack overflow doesn't store the personal data necessary to have a 15 minute timeout.

Apps are similar. You sign into twitter/facebook and you're signed in (pretty much) for good. They rely on the security of the device itself to "authenticate" you, as well as the fact that it's a device that will never go too far from you. Banks again require constant verification that you are who you say you are.

user164613
  • 99
  • 2
  • That is a great article about PHP sessions. Well, using PHP sessions is pretty easy, it's a bit complicated if you try to understand what happens behind the scenes. From the article, it seems like the guys had issues/bugs with the framework they were using, and not PHP itself, that's why they handled sessions themselves. – evilReiko Jun 26 '18 at 06:02