They way I like to handle session tokens that seems like a good compromise between security and user friendliness: Automatically renew the token as long as the user is actively using the website. I usually use a 12 hour token and renew if it's 8 hours old or more. The renewal requires the use a second token stored locally in the browser so even if you somehow sniff the token off the wire, you still can't renew it without control of the user's browser.
And frankly if they have control of the user's browser, they could probably install a key logger anyway.
That way, if someone is constantly using the site, they would never notice a logout, but otherwise they might have to login once a day.
Do you sign a request with that reauth token or do you send the reauth token? Because if they’re getting mitm then all is lost. How long does the reauth token last for? Is a new one issued when you reauth?
As negative as I sound, the system is better than just allowing the regular api token to extend the session. Of the hundreds to thousands of api requests a regular user may make a day, only 1 is the reauth, which is nice.
Security is an onion. Every layer is a bit sour and eventually you’ll cry.
> Do you sign a request with that reauth token or do you send the reauth token?
Sign
> Because if they’re getting mitm then all is lost.
This is true regardless of your authentication scheme, which is why https is important and then you have to hope they didn't just click through a warning and ignore it or have their trust store compromised or....
> How long does the reauth token last for?
Until it is reissued. But since the auth token is only good for 12 hours, effectively 12 hours max, since it can't be used for reauth without a valid auth token.
With mitm everything is lost. I could just wait until the user gets a reauth token again, assuming the reauth token expires (which it always should). Netflix had an issue a couple years back where sessions would never expire and you could use Netflix for years with the same session cookie.
Some big auth providers throw in a few extra signals too. Your IP address changes? That might hurry up expiration a little. Your user agent changes? Big red flag. Etc.
And frankly if they have control of the user's browser, they could probably install a key logger anyway.
That way, if someone is constantly using the site, they would never notice a logout, but otherwise they might have to login once a day.