TOK01 Long-Lived Token Use
What this means
SiteShadow flagged tokens/sessions configured with overly long lifetimes (or no expiry), which increases the impact of leaks and account compromise.
Why it matters
Long-lived tokens increase exposure window for compromise.
- Stolen tokens stay valid for weeks/months, turning small leaks into major incidents.
- Rotation is harder if systems assume tokens "never expire."
- Auditing is weaker: you can't confidently bound the window of exposure.
Safer examples
1) Use short-lived access tokens + refresh rotation
- Access token: minutes (e.g., 5–30 min)
- Refresh token: rotate on use; revoke on suspicion
2) Bind tokens to context when possible
Device/session binding and token audience/issuer checks reduce token replay.
3) Provide revocation and rotation mechanisms
Admins/users should be able to revoke sessions/API keys immediately.
How SiteShadow detects it (high level)
- Flags configs like "no expiry", "expires=0", extremely long TTLs, or disabled expiration checks.
- Detects common token libraries/settings where expiration validation is missing.
References
- CWE-613: https://cwe.mitre.org/data/definitions/613.html
---