If an attacker steals a session cookie with XSS or session fixation, the attacker immediately gains access to a valid session and can keep performing requests to keep the session alive. An absolute timeout would limit the amount of time the attacker has, but realistically this wouldn’t really hinder any attacker.
It is a lot harder to obtain valid short term tokens than it is to obtain long lived tokens. The insecurity of long term tokens is demonstrated by the many Elon Musk crypto scams found on Youtube.
I do agree that it is always a question of risk/reward. But to argue against it by saying short term tokens don't provide any added security, because a hacker can still gain access to a valid short lived token is disingenuous.
This. It has to do with the window of time that the attacker could access the session. If a service is meant to be used, says, once every 3 months, setting the session expiry to 7 days would make the usable attack window 7/90 = 7.8%. However, if the expiry is infinite, the hacker could just access the session any time.
It's also much easier to obtain an active session token than to configure a tool that obtains the token of the future logins.
Perhaps it doesn't matter that much if the service is meant to be logged in all the times tho.
It is a lot harder to obtain valid short term tokens than it is to obtain long lived tokens. The insecurity of long term tokens is demonstrated by the many Elon Musk crypto scams found on Youtube.
I do agree that it is always a question of risk/reward. But to argue against it by saying short term tokens don't provide any added security, because a hacker can still gain access to a valid short lived token is disingenuous.