More details on token expiration?

[jzaefferer]

I understand this recommendation:

Make token expiration (TTL, RTTL) as short as possible.

Though I wonder what qualifies "as short as possible". If a json web token is used as a session, making that session expire after five minutes is going to make a horrible user experience.

Is there a recommended strategy for short expiration with longer sessions?

[thisconnect]

One approach is to have 2 tokens. A short one for api calls and a long one for reauthenticate the short token

[jzaefferer]

Okay, though how does that solve anything? You still have a token with long expiration.

[thisconnect]

One aspect to consider token expiration is your usecase medical/banking services might want to invalidate after a "short" time of inactivity e.g 10minutes

If you run a social network about cat pics short may be different

[jzaefferer]

Thanks for that input, too, but it doesn't seem to answer my question.

[netcode]

Its been always a trade off between user expierence and security. So it depends on your situation and what UX you can implement to avoid annoying users.
For me 5-10 minutes of inactivity is enough , and you can show box to extend session limit and refresh to token.

[jzaefferer]

Maybe this discussion helps someone else, but its not what I was hoping for. The checklist still has the same item ("Make token expiration (TTL, RTTL) as short as possible."). 5-10min is definitely too short for the kind of products I'm working on - the only use case where that seems appropriate is online banking. Anyway, thanks for sharing.

[netcode]

We can't put specific number for the token expiration time , it depends on your situation , just try to make it short as possible. Regards.