Almost everywhere, including on e.g. the PHP website, OWASP, and elsewhere, it is highly recommended to expire the session ID within a relative short period of time. However, all the examples that are used as to why using a very long expiration, say like a year (for a persistent login), is that it becomes easier for the session ID to be stolen.
I cannot see how that has anything to do with it.
If the server is setup to only serve HTTPS request and no un-encrypted requests, the session ID cannot be stolen by sidejacking. The only problem left is then if the user gets his computer hacked or if the server gets hacked, in which case we have a much more serious problem. In the first case the hacker can delete the session cookie and force the user to re-authenticate and most likely get access to the credentials (no need to steal the session ID). In the second case the server is compromised and all security goes out the window any way,
I understand that in the days before HTTPS, the risk was very high for a MITM attach and it was relatively simple to hijack a session, but today where HTTPS has become a de-facto standard, I cannot see any benefit of short lived session IDs.
Am I missing something?