Short session expiration does not help security

When it comes to web application sessions, there is a debate about how long they should remain active. While current security advice suggests using short session timeouts, many popular apps, like Gmail or GitHub, allow users to remain logged in for extended periods without reauthentication. The question is whether or not this practice is insecure. The threat model includes unauthorized access to an active session, but expiring the session after 15 minutes of inactivity may not necessarily prevent session takeover. However, shared computers and compromised devices pose their own risks. Reauthentication also presents its own security concerns. In the end, the decision to use short session timeouts involves weighing security and user experience. Facebook, Google, Amazon, and GitHub have opted for long-lasting sessions, considering it an acceptable risk.

To top