Have you noticed? Websites keep sessions alive longer. Why?

I am sure you have seen the trend by now: once you log into your web service (web site, email, e-commerce) you remain authenticated for days, no need to log in next time.

Doesn't this create a security problem? Weren't we told that our web sessions can be stolen? In the past, stealing web sessions (and your "identity") was much easier than today because:

• XSS could read cookies,
• HTTP‑only wasn’t widely used,
• HTTPS wasn’t universal,
• cookies weren’t bound to devices,
• no SameSite attribute,
• no CSP (Content Security Policy),
• no browser isolation (sandboxing).

But things change - most of the above is a reality today.

Now the main risk is the theft of the password not of the session. Service providers hate to deal with passwords/hashes because having them is always the biggest risk, so they want to get rid of them. That's one of the reasons passkeys are getting such a push these days.

The risks of dealing with passwords

Every time a user types a password, several things happen:

• the password exists in plaintext in the user’s device memory
• it exists in plaintext in the browser’s memory,
• it exists in plaintext in the OS input buffer,
• it exists in plaintext in the server’s RAM (for milliseconds but it's there)
• it travels over the network (encrypted by TLS, but still a target for MiTMA attempts)
• it can be intercepted by malware, keyloggers, compromised extensions, etc.

What this means is that every login attempt is a fresh opportunity for theft.

This is why:

• password managers autofill passwords in web browsers (reducing typing exposure),
• web browsers warn about compromised passwords,
• passkeys are being pushed to completely remove passwords,
• and finally authenticated sessions work for longer (up to a month).

If you are curious how long can the sessions be:

This actually is an example of a good security measure - user-friendliness is much improved (who wants to type passwords 10 times a day?) and security is not left behind.