What's the best session lifetime?
There has been some debate over the recommended lifetime for a session. While some argue it has little effect on security, others claim the shorter, the better. Personally, I think the answer lies somewhere in between.
For those who own an overly expensive Netflix subscription, you may have noticed how its website always keeps you logged in (or at least that has been my experience). You may ask yourself if a large company like Netflix uses such a limitless session lifetime, then it must be okay right?
For those who work with Laravel, their default lifetime of a session is 120 minutes, or 2 hours. Although this sounds reasonable to me, Laravel Forge keeps you logged in for a longer period as well. It makes sense: it saves us from having to log in over and over again, which is especially time consuming with 2FA in mind.
I've been thinking about this issue and believe to have found some middle road: 3 days, or 4320 minutes:
SESSION_LIFETIME=4320
I now, it seems astronomically large compared to Laravel's default amount, but it's also not infinitely large. You may ask yourself: why not two days, or four? Well, assuming you've built an app that users interact with on a daily basis, then this lifetime would ensure users stay logged in over the weekend. 😉
Conclusion
Of course, I could be wrong here and feel free to reach out if you think I am. However, considering the wide range of practises out there, it seems like there is hardly any rule to follow these days.
And as with most beliefs or assumptions, the truth usually lies somewhere in the middle. And perhaps 4320 is just that. It's certainly a number that is easy to remember. 😉
Thanks for reading and hope to see you around!