What value does a session refresh really add to security?

[clariontools]

Currently, a session refresh only changes the "expired" (and "refreshed" if you have that enhancement) value of an existing token. What does this add to security?

I thought the real security comes from the frequent changing of the user token and password so that if a session was compromised it would not be available for use after it expired. If the same token and password could be refreshed indefinitely, then is it really worth refreshing it at all?

If the goal is not to expose the username and password, then a one time session with an expires 10 years in the future would do that.

Would validating the ip address on a refresh to make sure it is refreshing from the same ip be a security enhancement #72?

How about validating the ip address on refresh and an option to reissue the token and password dbURL and all by basically doing a logout (logoutAll or logoutOthers) behind the scenes and reissuing a complete new session?

I suppose the current "refresh" is really more like "extend" and I am talking more about a "renew" function. Without using the ip of the caller either way a hacker could either continually refresh a session or maybe worse, use a renew function to continually renew sessions. Yeah, is probably not a good idea. I do think that validating ip on refresh might be a good enhancement, but I still am not convinced of the value of refreshed.

The use case I could see is like what you see in a banking app, where a window pops up and says your session will be logged out due to inactivity, but you could just as easily do that with a timer that gets reset on activity and calls logout if it times out.

[micky2be]

This is backend related. Nothing we can do here.

[clariontools]

Only wanted to discuss it here because it would also require a change to superlogin-client, just changing the server would not be enough.