56
submitted 1 year ago by tryagain@lemmy.ml to c/meta@lemmy.ml

Right guys?

you are viewing a single comment's thread
view the rest of the comments
[-] Mic_Check_One_Two@reddthat.com 2 points 1 year ago

Tokens are signed with a secret string, which basically tells the server that it is legitimate. They could change that secret, and the server would immediately distrust any tokens signed with the old secret. This would be a pretty nuclear option though, because it would require every single user to log back in.

You’re not the first person to say that the expiration time is a year, which is hilariously long if true. A shorter expiration time is more secure (because it specifically limits attacks like this to a specific timeframe) but it also increases server load by requiring token requests more often. For instance, if the expiry was set at 5 minutes, you’d have requests every 5 minutes but an attacker would only have control of an account for a maximum of five minutes. Maybe it was done to help save on server load, since this is all basically run by a few people as a hobby.

this post was submitted on 10 Jul 2023
56 points (96.7% liked)

lemmy.ml meta

1406 readers
1 users here now

Anything about the lemmy.ml instance and its moderation.

For discussion about the Lemmy software project, go to !lemmy@lemmy.ml.

founded 3 years ago
MODERATORS