Right guys?

  • spiderplant@infosec.pub
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    Really curious to see how they kill the existing tokens, and whether admins have tools to easily clear all sessions. On one of the Matrix chats someone suggested that the tokens have a one year expiry date!

    • TheSaneWriter@lemm.ee
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      The servers should theoretically have a way to murder the tokens, but I’m not sure how Lemmy has implemented authentication so I don’t know for sure.

    • Mic_Check_One_Two@reddthat.com
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Tokens are signed with a secret string, which basically tells the server that it is legitimate. They could change that secret, and the server would immediately distrust any tokens signed with the old secret. This would be a pretty nuclear option though, because it would require every single user to log back in.

      You’re not the first person to say that the expiration time is a year, which is hilariously long if true. A shorter expiration time is more secure (because it specifically limits attacks like this to a specific timeframe) but it also increases server load by requiring token requests more often. For instance, if the expiry was set at 5 minutes, you’d have requests every 5 minutes but an attacker would only have control of an account for a maximum of five minutes. Maybe it was done to help save on server load, since this is all basically run by a few people as a hobby.