Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
WCIP-5: Session expiration #5
Currently a session is persisted in localStorage in browser environments which allows a Dapp to maintain the connection to make call requests. Disregarding the security concerns of the exposure of the symmetric key which are described in the WCIP-2, there are also other security concerns regarding the user maintaining a session indefinitely open on a device that it may or may not own.
Considering the scenario where you establish a WalletConnect session with a Dapp and is persisted. An attacker could access the device which persists the session by simply opening the same Dapp where this session is persisted. Although this attacker could not sign anything without the possession of the user's Wallet, it could still access all read information displayed by the Dapp.
This could be seen as failure of the Dapp to re-authenticate by requiring a time sensitive signature by the user's Wallet. We could ever mitigate by implementing ourselves on the WalletConnect side.
Hence we would add an expiry date to all persisted sessions. I propose a 24 hour timeframe for this expiry. Whenever this expiry date is reached, the user will be required to sign a