[Team Experiments] Token expiration, from hour to days
1 min readAug 9, 2016
--
Today, we looked at a bug we got from a long time.
The token duration bug.
The problem
For those who are wondering what this bug was, here is a summary.
- We wanted the token life to be short! (More secure).
- We made it short (3600 seconds).
- We found issues in the flow, so while fixing the issue, we made it longer (13060800 seconds).
- We fixed the issue and set the token verification back to 3600 seconds
Problem is, when tokens were made, we didn’t set lifetime back to 3600 seconds, so:
- Tokens were provided with a 13060800 seconds lifetime
- In the APIs, Tokens were considered expired after 3600 seconds
The solution
We finally agreed on a fix:
- Now the tokens have a lifetime of 172800 seconds (48hours)
Why ? Because life is too short for refreshing tokens each hours !
(But we also think that refreshing tokens is a good practice)
The consequences
- You might have to refresh the token sooner than expected! But it will continue to work as expected
- Now the expires_in is trusty