Besically the idea of it is if someone gets their hands on a token
In my case the token is stored in the secure enclave and sent to the backend over TLS so that is hardly the case.
without an expire that does not belong to them they will forever have access with that token. With an expire time that is not the case.
I don’t see much difference between forever and at least some time: in both cases the system is breached and the damage is done.
I believe the purpose of this warning is to encourage people to explicitly opt-in to non-expiring tokens by setting max_age to :infinity. The future default will ‘err on the side of caution’, which is a good security practice.
What I don’t understand, is why should there be a default for everyone, even if, as in my case, there isn’t any real additional threat for having “forever valid” signed session ids …
In a production environment, non-expiring tokens should only really be used if the token can be revoked, e.g. on sign-out or when the user changes password.
In my case the users don’t have passwords, their “accounts” are tied in to their installation of the app (iCloudID). I only need to know their account or user id, which is, again, exchanged with the server over TLS and the token itself is stored in the secure enclave.
Without revocation, every sign-in would issue yet another valid token, and the user would have no control over who might abuse such old tokens.
That might affect me, but I’m not sure how. Currently, only one installation of the app per account is allowed, but in the future I might change that. But even then I don’t see why I would want to revoke a token with session id, for someone to abuse it, the abuser would have to have direct access to the victim’s phone.
or yet-to-be-discovered weaknesses in crypto protocols might allow an attacker to extract a token from an old packet capture.
This definitely could affect me. But that would affect every user, so I might as well just change the secret used for signing the tokens.
Thank you, @voltone!