|
|
|
|
|
|
by infotogivenm
1290 days ago
|
|
|
I would consider it a “moderate” or “low” severity issue, the same as “session cookie does not expire.” Authentication tokens intended for ephemeral browser sessions should expire, it’s good practice not to hand out infinite-access credentials. |
|
|
It's not great, there's certainly a way to secure it, but like many other solutions - stuff it in a storage bucket with a "random" url is "good enough" in the eyes of the platform.