Shall we specify a recommended lifetime or leave it open?
Perhaps relevant:
The TLS 1.2 spec says: "An upper limit of 24 hours is suggested for session ID lifetimes, since an attacker who obtains a master_secret may be able to impersonate the compromised party until the corresponding session ID is retired."
Shall we specify a recommended lifetime or leave it open?
Perhaps relevant: