A session token with only a few minutes validity can be enough for someone to make their access permanent.