SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

TOK01 Long-Lived Token Use

What this means

SiteShadow flagged tokens/sessions configured with overly long lifetimes (or no expiry), which increases the impact of leaks and account compromise.

Why it matters

Long-lived tokens increase exposure window for compromise.

Safer examples

1) Use short-lived access tokens + refresh rotation

2) Bind tokens to context when possible

Device/session binding and token audience/issuer checks reduce token replay.

3) Provide revocation and rotation mechanisms

Admins/users should be able to revoke sessions/API keys immediately.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.