Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If the account is for accessing employer's system then sessions have to be kept short, and users have to re-login every day. Otherwise employees who have left the company would continue to access the system.

The reason Google never expires your session is because they want to track your activity and connect your activity to your account. This is not a good system to copy.



This seems like a non issue... Can't you just invalidate existing sessions/tokens immediately when an account is suspended?


If you're using your own password-based auth then you can. But that has its own issues (such as user has to remember to delete account on your system). If you're using single-sign-on then you have a token from an identity provider such as Microsoft or Google, and then you don't get immediate notification that the user account has been suspended.


Surely you can revoke a session before it expires?


No you can't because you don't immediately know that the user's account has been suspended (assuming you're using an identity provider).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: