In real world, security is done by a bunch of nearly clueless people hoping to put enough hard enough roadblocks to make it practically not worthwhile for you to hack in.
If you don't have mathematically secure solutions, session expiration and similar are the imperfect tools you use to solve your problem.
One beef I have with short session expiration, though, is that in many cases it causes people to degrade security. This happens when people get annoyed by having to frequently provide their credentials and rather than enter credentials securely, use even more insecure workarounds.
> One beef I have with short session expiration, though, is that in many cases it causes people to degrade security.
One counterpoint—if sessions last too long, then I forget the password, and reset the password. If sessions are too short, then I choose an insecure password. Neither option is great for security!
Talking about systems for which a password manager doesn’t make sense, like your lock screen password.
This is why I prefer short sessions and requiring frequent, passwordless, biometric authentication. Still relatively low friction for the user, and no password to remember or forget, while still reasonably high friction for an attacker.
If you don't have mathematically secure solutions, session expiration and similar are the imperfect tools you use to solve your problem.
One beef I have with short session expiration, though, is that in many cases it causes people to degrade security. This happens when people get annoyed by having to frequently provide their credentials and rather than enter credentials securely, use even more insecure workarounds.