You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, session tokens are valid for an extended amount of time. This can pose security risks, as prolonged token validity increases the chances of unauthorized access if a token is compromised. Implementing a short-lived session token that can be refreshed also enables the implementation of AnalogIO/coffeecard_app#169.
Proposed change
Implement a system where each session token expires after a specified duration, e.g., X minutes of inactivity. Additionally, the token should be refreshed (i.e., its expiration is extended) each time it's used. This approach balances security with user convenience, ensuring sessions remain active as long as the user is actively using the app but expire after a period of inactivity.
Rationale
This change is aimed at enhancing the security of our application by reducing the risk of token misuse. It also aligns with standard security practices in apps handling items that have monetary value, e.g MobilePay.
Key points
Token Expiration: Define a reasonable default for the token expiration time, such as 15-30 minutes of inactivity.
Refresh Mechanism: Ensure that each valid request to the server refreshes the token's expiration time.
User Experience: Consider how expired sessions will be handled on the client-side. For instance, each time the app is switched to, a ping call to the server can ensure that the stored session token is still valid. If it expired, the user would be prompted to enter their PIN to get a new token (as per User should reenter his PIN code after 2 hours of inactivity coffeecard_app#169).
Currently, session tokens are valid for an extended amount of time. This can pose security risks, as prolonged token validity increases the chances of unauthorized access if a token is compromised. Implementing a short-lived session token that can be refreshed also enables the implementation of AnalogIO/coffeecard_app#169.
Proposed change
Implement a system where each session token expires after a specified duration, e.g., X minutes of inactivity. Additionally, the token should be refreshed (i.e., its expiration is extended) each time it's used. This approach balances security with user convenience, ensuring sessions remain active as long as the user is actively using the app but expire after a period of inactivity.
Rationale
This change is aimed at enhancing the security of our application by reducing the risk of token misuse. It also aligns with standard security practices in apps handling items that have monetary value, e.g MobilePay.
Key points