ScenarioIntermediateSecurity A teammate proposes making access tokens valid for 24 hours so users rarely need to refresh. What are the risks, and what would you recommend?
Follow-up questions
- How could you add revocation to otherwise stateless access tokens?
- What lifetime would you pick for the refresh token, and why?
#tokens#security#session-management