I am using pac4j with apache shiro for my application . I want to know what is the maximumAuthenticationLifetime value which we needs to set? If I set it to more time like "31536000" seconds(365 days) then will it open potential security issues. If someone is able to intercept the security token, they could use it for 365 days? So what is the best possible way to set the maximumAuthenticationLifetime.
Asked
Active
Viewed 68 times
1 Answers
0
It depends on your IDP, if IDP ensures that session is valid upto 365 days, you can set maximumAuthenticationLifetime upto 365 days.
But if IDP expires the session after 1 day, then there is no use of setting maximumAuthenticationLifetime more than a day.
So maximumAuthenticationLifetime must be <= session timeout configured at IDP
Anil Agrawal
- 2,748
- 1
- 24
- 31