CoreyWarren
commented
1 year ago Rate limiting implemented on Express side. Token revocation on the way.
Closed CoreyWarren closed 1 year ago
CoreyWarren
commented
1 year ago Rate limiting implemented on Express side. Token revocation on the way.
There is no one-size-fits-all answer to the question of the maximum recommended access token lifespan for web tokens for user login, as it depends on several factors, such as the security requirements of your application, the sensitivity of the data being accessed, and the user experience you want to provide.
Generally speaking, shorter access token lifespans can provide better security, as they limit the window of opportunity for attackers to exploit stolen or leaked tokens. However, shorter token lifespans can also result in a poorer user experience, as users may need to log in more frequently.
On the other hand, longer token lifespans can improve the user experience by allowing users to stay logged in for longer periods of time. However, longer token lifespans also increase the risk of token theft or misuse, as stolen tokens can be used by attackers for a longer period of time.
Coinbase's approach to access token lifespan may be appropriate for their specific use case and risk tolerance, but it may not be suitable for every application. It's important to consider your specific security requirements and user experience goals when deciding on an appropriate access token lifespan for your application.
In general, a few hours may be safe for certain applications, but you should also consider implementing other security measures such as token revocation, rate limiting, and IP address restrictions to reduce the risk of unauthorized access.