While researching session based authorization methods, I’ve been comparing server side against JWT-based approaches. Server side sessions appeals to me because it allows immediate access revocation. However, I’ve noticed a potential security concern with rolling session expiration. When rolling sessions, the expiration time updates on every request (at least this is how it’s implemented with express-session where all my questions started). This means if an attacker steals a session ID, they could maintain access indefinitely by making regular requests that keep extending the session’s lifetime (at least until the session is explicitly deleted/logged out). I tried to research more about this but couldn’t find much other than sessions could be fingerprinted with info like user-agent to add extra security.

While researching session based authorization methods, I’ve been comparing server side against JWT-based approaches. Server side sessions appeals to me because it allows immediate access revocation. However, I’ve noticed a potential security concern with rolling session expiration. When rolling sessions, the expiration time updates on every request (at least this is how it’s implemented with express-session where all my questions started). This means if an attacker steals a session ID, they could maintain access indefinitely by making regular requests that keep extending the session’s lifetime (at least until the session is explicitly deleted/logged out). I tried to research more about this but couldn’t find much other than sessions could be fingerprinted with info like user-agent to add extra security.