Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WCIP-5: Session expiration #5

Open
pedrouid opened this issue Jun 7, 2019 · 0 comments

Comments

1 participant
@pedrouid
Copy link
Member

commented Jun 7, 2019

Currently a session is persisted in localStorage in browser environments which allows a Dapp to maintain the connection to make call requests. Disregarding the security concerns of the exposure of the symmetric key which are described in the WCIP-2, there are also other security concerns regarding the user maintaining a session indefinitely open on a device that it may or may not own.

Considering the scenario where you establish a WalletConnect session with a Dapp and is persisted. An attacker could access the device which persists the session by simply opening the same Dapp where this session is persisted. Although this attacker could not sign anything without the possession of the user's Wallet, it could still access all read information displayed by the Dapp.

This could be seen as failure of the Dapp to re-authenticate by requiring a time sensitive signature by the user's Wallet. We could ever mitigate by implementing ourselves on the WalletConnect side.

Hence we would add an expiry date to all persisted sessions. I propose a 24 hour timeframe for this expiry. Whenever this expiry date is reached, the user will be required to sign a personal_sign or eth_signTypedData message that re-authenticates the session for another 24 hours. Otherwise the session will be disconnected after 5 minutes have passed since its expiry date.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.