|
|
|
|
|
|
by Spivak
2053 days ago
|
|
|
Hahaha. Slack does something similar. My company set a policy to log everyone out of Slack every week. And it “works” except it’s enforced only by the client because you can go into Slack’s files and pull out your user-key which is a session token that never expires, is never rotated, and bypasses SSO and 2FA. So everyone who doesn’t want to be logged out just extracted their key and uses it to stay logged in on their other clients. (Also, if you run across some tool/bot that needs a Legacy Token you your user-key will work. When Slack stopped letting users generate them it didn't apply to Slack itself.) |
|
|