---
title: Re-authenticate For Long Keys/Sessions
impact: CRITICAL
impactDescription: prevents indefinite access via stolen tokens
tags: session, authentication, token, expiry, security, csharp
---

## Re-authenticate For Long Keys/Sessions

Long-lived sessions allow attackers to maintain access indefinitely if they steal a token.

**Incorrect (never expiring tokens):**

```csharp
var tokenDescriptor = new SecurityTokenDescriptor
{
    Subject = new ClaimsIdentity(claims),
    Expires = DateTime.UtcNow.AddYears(1), // Too long!
    SigningCredentials = credentials
};
```

**Correct (short lived access tokens + refresh tokens):**

```csharp
// 1. Short Access Token (e.g. 15-30 mins)
var tokenDescriptor = new SecurityTokenDescriptor
{
    Subject = new ClaimsIdentity(claims),
    Expires = DateTime.UtcNow.AddMinutes(15), 
    SigningCredentials = credentials
};

// 2. Validate Security Stamp periodically for Cookie Auth
services.Configure<SecurityStampValidatorOptions>(options =>
{
    // Check if user attributes (password/roles) changed every 30 mins
    options.ValidationInterval = TimeSpan.FromMinutes(30);
});

// 3. Sliding Expiration for Cookies
// Resets expiration if user is active, but enforces absolute limit?
options.SlidingExpiration = true;
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
```

**Tools:** ASP.NET Identity, IdentityServer
