Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh Token Timeout Defaults to Expire in 1 Year #4060

Open
prernaadev01 opened this issue Aug 20, 2024 · 0 comments
Open

Refresh Token Timeout Defaults to Expire in 1 Year #4060

prernaadev01 opened this issue Aug 20, 2024 · 0 comments
Labels
Priority P3 Low Priority

Comments

@prernaadev01
Copy link
Collaborator

Impact

Compromised session tokens will remain valid until specifically invalidated by the application.

Description

The default that sets the expiration time of the refresh JWT token expires after 1 year.
Moreover, if the environment variable is not set, the code defaults this to 1 year.
image.png
Many standards organizations such as PCI, OWASP, and NIST recommend extremely short timeouts (under an hour) before inactive user sessions are forcibly expired. A short timeout is argued to be a protection against account compromise in case a user’s session token is leaked. However, there are few scenarios where session token compromise is likely that are also protected by a short timeout. The most commonly considered scenario (physical compromise of a user’s device) is not one which a web application can reasonably protect against, even if extremely short timeouts are implemented.
The drawback of session invalidation is that it encourages users to use short passwords and to enter passwords without verifying the application’s domain. For this reason, many companies make a choice not to expire user sessions without some evidence that the session is compromised. Instead, effort is shifted to alternative account protections which have real-world evidence of effectiveness23, such as multi-factor authentication and proactive monitoring for evidence of token compromise. For example, a site might check the user’s IP address and force a new login if the geolocation of the IP address has changed.

Recommendation

NCC Group recommends that most applications should set a reasonable session timeout that meets the standard followed by the organization. Session timeouts should not generally be shorter than one day (24 hours) unless mandated by an external standards organization. For applications which do not contain critically-sensitive user data or functionality, timeouts between one week and one month are reasonable. The session timeout may be increased if the application implements strong account takeover (ATO) protections such as mandatory multi-factor authentication, proactive detection for ATO, and user visibility and management of sessions.NCC Group does not recommend implementing any change which forces users to only have a single active session. Accessing an application across multiple devices or browsers is a common scenario which does not create a security risk for most web applications.

Location

Guardian Web Application
@prernaadev01 prernaadev01 added the Priority P3 Low Priority label Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority P3 Low Priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@prernaadev01