How short should websocket token be? In “Programming Phoenix” it is measured in weeks, in “Real-Time Phoenix” — 10 minutes. AFAIU, if token gets stolen, then it can always be used to authenticate with socket and thus take read/write access on behalf of another user, and also the token can’t be revoked — hence the desire to make it short-lived (but we also could use revokable cookies sessions in websockets as well, except that we can’t)
How the life of the token will affect UX? If the token lives 10 minutes, what happens to the connected user when the token gets updated but the user still have old token?
Edit: actually I think some UX problems are mentioned here for short-lived tokens (right side of the picture): Stop using JWT for sessions, part 2: Why your solution doesn't work - joepie91's Ramblings
