11Ara
Best practices for access and refresh tokens timeout lengths [duplicate]
I'm currently working on an international marketplace website and trying to decide the appropriate timeout lengths for access and refresh tokens.
We try to do the timeouts to be as strict as possible to make it more difficult for bad actors but also try not to worsen user UX too much.
- What timeout settings did you find working the best during your experiences?
- Are there any technical considerations that you only noticed later when increasing the security?
