HN Distilled

Essential insights from Hacker News discussions

Frequent reauth doesn't make you more secure

Original Article

Hacker News Discussion

Here's a breakdown of the key themes from the Hacker News discussion, supported by direct quotes:

Conflicting Definitions of "Session Cookie"

A primary point of contention revolves around the definition of "session cookie." Some argue it strictly refers to cookies that expire when the browser closes, while others use the term more broadly to describe any cookie used to maintain session data, regardless of its expiration. This divergence leads to significant communication issues.

  • "Edit: I'm dating myself here, but as far as I can tell apparently sometime between 2010 and 2011, developers started referring to session cookies as cookies with the lifetime of a browser session and not to cookies which contain session data." -- andrewmcwatters
  • "I think some developers will interpret the term 'session cookie' differently then that, because a 'session' is usually just something that's tracked in a backend, and an identifier for this session is often written in a cookie. Hence... Session cookie, even if set without expiration date." -- ffsm8
  • "You can believe what you like, but that won't change what people mean by the term 'session cookie'. If you try to communicate with other people using that definition of 'session cookie', your communication will fail." -- thaumasiotes
  • "It's just a difference of context. If one is talking about their application and they say 'session cookie', they probably mean 'cookie that stores session data'. If one is talking about different classifications of cookies in a browser, GP's definition of 'session cookie' is correct." -- lcnPylGDnU4H9OF

The Frustration with Frequent Re-authentication

Many users express frustration with systems that require frequent re-authentication, especially Google's. The perceived lack of significant security benefit, combined with the inconvenience, is a recurring theme.

  • "Google’s the one I have the most trouble with in this regard. The more things you sign into the worse it gets, seemingly, which really sucks if for example you’ve got a bunch of Android test devices and simulators sharing test accounts. A high profile example is how on the WAN Show, Linus or Luke always get booted out of the show Google Doc and have to sign back in at some point during." -- cosmic_cheese
  • "Google is pretty frustrating. I switch between my desktop and laptop frequently and sometimes browsers as well. The reauth dialog pops up two weeks for every login - usually just when I'm about to hop on a meeting." -- gsa
  • "Frequent reauth doesn't meaningfully improve your security posture (unless you have a very, very long expiry), but any auth system worth it's salt should have the capability to revoke a session, either via expiry or by user/device." -- d4mi3n

The Importance of Session Revocation Over Frequent Re-authentication

Several commentators emphasize that the ability to revoke sessions is more crucial for security than forcing users to constantly re-authenticate. Timely revocation mitigates the impact of compromised credentials or devices more effectively.

  • "In practice, I find that the latency between when you want to revoke a session to when that session no longer has access to anything is more important than how often you force reauthentication." -- d4mi3n
  • "This is why you have refresh tokens - your actual token expires regularly, but the client has a token that allows you to get a new one. Revoking is a case of not allowing them to get a new one." -- antihero
  • "AWS runs 12 hour session tokens, but you can still revoke those to address a compromise in that 12 hour gap. The nice thing that forced expiry does is you just get token revocation For Free by virtue of not allowing renewal" -- SOLAR_FIELDS

Security Considerations of Cookie Handling and Malware

The discussion touches on cookie security, particularly concerning malware and the common practice of clearing cookies on browser exit.

  • "I set my browser to clear cookies on exit so that my cookies cannot be stolen by malware." -- koakuma-chan
  • "Because (at least less sophisticated) malware just steals your browser files which contain cookies. I am assuming of course the browser is smart enough not to write cookies to disk if I set it to clear cookies on exit." -- koakuma-chan
  • "I’m down for it but I wonder of compromised devices that can figure it out how to keep the auth alive (or replicating user behavior). In those cases expiration still sounds like a good idea." -- clvx

Refresh Tokens and the Separation of Authentication and Authorization

The conversation highlights the benefit of using refresh tokens to separate authentication and authorization. Regularly expiring short-lived access tokens, coupled with refresh tokens for obtaining new ones, is presented as a way to balance security and user experience.

  • "This is why you have refresh tokens - your actual token expires regularly, but the client has a token that allows you to get a new one. Revoking is a case of not allowing them to get a new one." -- antihero
  • "You don't need reauthenticate for that, you just need to renew existing tokens. Separate the timeouts for authentication and authorization." -- the8472

Offline/Local-First Applications and Authentication Challenges

A smaller sub-thread addresses the complexities of authentication in offline or local-first applications. The need to authenticate against a remote service even when offline is seen as a potential design flaw.

  • "Sounds like you want local-first offline-first apps? Me too." -- bravesoul2
  • "If you've built a local app that has to authenticate you against a remote web service even when offline, and all the actual work is being done locally, you have much bigger design issues than authn IMHO" -- freedomben

Tradeoffs and Context-Specific Implementation

Several contributors emphasize that the best approach to authentication and session management depends on the specific context, business requirements, and threat model. There's no one-size-fits-all solution.

  • "This is an implementation detail in my opinion. There are cases where having the capability to force a refresh is desired. There are also cases where you want to be able to lock out a specific session/user/device. YMMV, do what makes sense for your business/context/threat model." -- d4mi3n
  • "It is, but its an architectural decision that forces expiry by default. So you should probably even have both." -- SOLAR_FIELDS