Almost everywhere, including on e.g. the PHP website, OWASP, and elsewhere, it is highly recommended to expire the session ID within a relative short period of time. However, all the examples that are used as to why using a very long expiration, say like a year (for a persistent login), is that it becomes easier for the session ID to be stolen.

I cannot see how that has anything to do with it.

If the server is setup to only serve HTTPS request and no un-encrypted requests, the session ID cannot be stolen by sidejacking. The only problem left is then if the user gets his computer hacked or if the server gets hacked, in which case we have a much more serious problem. In the first case the hacker can delete the session cookie and force the user to re-authenticate and most likely get access to the credentials (no need to steal the session ID). In the second case the server is compromised and all security goes out the window any way,

I understand that in the days before HTTPS, the risk was very high for a MITM attach and it was relatively simple to hijack a session, but today where HTTPS has become a de-facto standard, I cannot see any benefit of short lived session IDs.

Am I missing something?

Share This Discussion

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.