Fully agreed. Just because 1 security measure doesn't prevent all malicious attacks, doesn't mean that it "does not help security". It's just fundamentally false because some malicious attacks rely on long expirations, therefore for those attacks, this method does help security. Not all malicious attempts are refined or perfectly executed and sometimes a user can simply rely on a token that lasts too long.
It's a clickbait title and it worked. A title like this would be much more accurate: "Short session expirations provide less security than you might think"
It's a clickbait title and it worked. A title like this would be much more accurate: "Short session expirations provide less security than you might think"