|
|
|
|
|
|
by mmcnickle
4739 days ago
|
|
|
The justification is earlier in the article [1]. It slightly lowers the attack cross-section. If you implement the separate login cookie scheme described in the linked article[2] you also get a limited ability to detect hijacked sessions and limit the length of time an attacker has access to the account. [1] "One argument against long expiration of auth cookies is that they’re effectively keeping the user authenticated and at risk of attacks such as CSRF or clickjacking. Of course the application needs to exhibit other risks in order for an attacker to capitalise on the long lasting cookie but the whole defence in depth argument comes up again." [2] http://jaspan.com/improved_persistent_login_cookie_best_prac... |
|
|