Some questions about Lucia concepts

[lorisleitner]

Hi guys,

I want to borrow some concepts from Lucia Auth for an application I'm developing with another tech stack.
It consists of a REST API, a mobile app and a React SPA.

The React Web App receives the token in a HttpOnly/secure/same-site cookie when the clientId in the authentication request is set to "web". The mobile app receives the token in the response body when the clientId is set to "app" and saves it to a secure on-device storage and adds it to every request made to the API.

Session tokens are never rotated in Lucia Auth and can be infinitely extended. If an attacker gets hold of the token, he can infinitely extend the session lifetime by making requests to the API. Is this considered a secure practice? Do we need some kind of session ID rotation after a few minutes to hours?

The expiration of the web app is set to 1 month, the mobile app must have a much longer expiration of 1 year.

Do you have any suggestions on how to tackle this problem or making it more secure?

Thanks a lot!

[pilcrowonpaper]

If an attacker gets hold of the token, he can infinitely extend the session lifetime by making requests to the API.

If you're not exposing the token in the URL, the only way someone can get hold of your token is if they have access to your device or network. At that point, you probably can't do much.

That said, there are few options:

• Implement an absolute expiration
• Limit the session to a single IP address or geolocation
• Implement sudo mode, where users are asked for their password/passkey/OTP/yubikey before any critical actions