Page MenuHomePhabricator

Make partial sessions expire after 30 minutes, and do not extend them

Authored by epriestley on Dec 18 2018, 7:58 PM.



Depends on D19904. Ref T13226. Ref T13222. Currently, partial sessions (where you've provided a primary auth factor like a password, but not yet provided MFA) work like normal sessions: they're good for 30 days and extend indefinitely under regular use.

This behavior is convenient for full sessions, but normal users don't ever spend 30 minutes answering MFA, so there's no real reason to do it for partial sessions. If we add login alerts in the future, limiting partial sessions to a short lifetime will make them more useful, since an attacker can't get one partial session and keep extending it forever while waiting for an opportunity to get past your MFA.

Test Plan
  • Did a partial login (to the MFA prompt), checked database, saw a ~29 minute partial session.
  • Did a full login, saw session extend to ~30 days.

Diff Detail

rP Phabricator
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.