How do I set a token lifetime to infinity?

[pedrofurtado]

How do I set a token lifetime to infinity (i.e., without expiration)?

[djoos]

Hi @pedrofurtado,

currently you can't do so by specifying a value like -1 or so. The reason being that it's probably not a good idea, or at very least needs to be done with care. Unless you would store all nonces forever, you would be vulnerable to replay attacks if you allow infinite token lifetime... In practice nonces get cleaned up, and this cleanup can be done safely if they're all older than the lifetime.

If you were to want to go ahead with this, I'd suggest creating a method isTokenExpired in the Provider (similar to the isTokenFromFuture method), moving the current logic in there.

Afterwards send it over as a PR :-) as even though I wouldn't encourage it, I wouldn't mind giving the ability to override the "is token expired" logic of the bundle in an easier way. And in your project, I'd use the (new, PR-merged) bundle version and then [override the Provider class by your own class](~ https://github.com/djoos/EscapeWSSEAuthenticationBundle#specify-custom-authentication-classes), extending the bundle Provider but implementing your own isTokenExpired logic; ie. just returning false all the time for your use case.

TL;DR It's not straightforward, nor recommended, but doable.

If you do end up extracting the isTokenExpired logic into a method, please send in a PR, happy to merge it in. I'll close this issue, but don't hesitate to reach out if you have any further questions or comments...

Hope this helps! David

[pedrofurtado]

@djoos I sent a pull request with a little change in code. Please, send a review there! Thanks!