Skip to content

Security: Hades cookie has 1-year expiry with no rotation #8

New issue
New issue
Open
Open
Security: Hades cookie has 1-year expiry with no rotation#8
Labels
lang:phpPHP/Laravel
@Snider

Description

@Snider
Snider
opened on Feb 1, 2026

Description

The SetHadesCookie listener sets a Hades authentication cookie with a 1-year expiry, with no rotation mechanism.

Location

  • File: src/Listeners/SetHadesCookie.php
  • Lines: 27-38

Issue

The Hades cookie is set with:

  • 1 year expiry (60 * 24 * 365 minutes)
  • No rotation on activity
  • Only revoked by changing HADES_TOKEN globally

This creates security concerns:

  1. Long-lived credentials are more likely to be compromised
  2. No way to revoke access for individual users
  3. Cookie theft gives year-long access
  4. No activity-based expiration

Recommendation

  1. Reduce cookie expiry to a reasonable duration (e.g., 24-48 hours)
  2. Implement cookie rotation on each request or at intervals
  3. Add per-user revocation capability (e.g., store user-specific tokens)
  4. Implement idle timeout that invalidates the cookie after inactivity
  5. Add device/session tracking to allow selective revocation

Severity

Medium - Long-lived credentials increase exposure window if compromised

Metadata

Metadata

Assignees

No one assigned

    Labels

    lang:phpPHP/Laravel

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions