|
|
|
|
|
|
by ctomaybe
3803 days ago
|
|
|
I get that non-expiring tokens are a Bad Idea™, but it's complete bullshit that this is a groundbreaking security flaw. Any service that uses Bearer tokens for request authorization is "vulnerable" under these terms -- regardless of whether or not tokens are invalidated on "logout." What's to say a malicious MITM isn't going to hijack your account while you're still logged in? Secure infrastructure isn't the one and only solution, but it certainly means that "vulnerabilities" like this are pointless unless your malicious attacker either has the remote server certs or has cracked TLS. |
|
|