|
|
|
|
|
|
by ajanuary
4737 days ago
|
|
|
I think the restrictions are things like restricting by IP, reducing simultaneous use, throttling the rate you can create new sessions. With a unified token, you have to always trust it for as long as the 'remember me' token is alive. With split tokens, you can do a sanity checks like those mentioned above on every session initialisation. The value of splitting the tokens into separate cookies seems to be simplicity of implementation. You can rely on the browser to invalidate the session cookie on a browser close, but leave the 'remember me' cookie (as far as you can rely on the browser to do anything). Every useful restriction I can think of seems brittle, so I guess it's weighing up security against support. |
|
|