Search code examples
securityauthenticationtokenregistration

Should login tokens expire?


I have developed an app including a web backend offering methods for logging in via email and password or via token. When logging in via email the server stores a token at the users record which expores after 30 days. This token can then be used for automatically logging in without needing to type in email and password again every time. At least for 30 days.

Now my question: Is it really necessary that the token expires? And if so, why?

Bye


Solution

  • The usability-answer is "No, it should not expire", The security-answer is "Yes, it should definitely expire"

    Why: Weak authentication and session management is number 2 on the OWASP Top Ten (1). A common best practice to defend against session hijacking and other session based attacks is session expiration. This way, the impact of a stolen, predicted or brute-forced token is reduced. It also reduces the time, an attacker has to "break" the token. You can find a good summary on session expiration here: (2)