Can api ticket created to expire in 100 years ?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered

I want to create ticket that never expire to use on my server.  So i see i can set number of hours for ticket expiration.  Is it valid to set hours = 100000000000 ?

If not what is the maximum number of hours I can set ?


Photo of Chandrajeet


  • 0 Points

Posted 3 years ago

  • 0
  • 1
Photo of Ⲇanom the ultimate (Dan Diebolt)

Ⲇanom the ultimate (Dan Diebolt), Champion

  • 30,074 Points 20k badge 2x thumb
The API method API_Authenticate does appear to accept an hours parameter which seemingly can take an arbitrary large number (the default value is 12 hours). I tested it with a google of hours (1 followed by 100 zeros) and the response generated no error and assigned a valid ticket. However assigning a large value to hours will actually weaken your security as if anyone gains access to the ticket they could continue to use it for up to 100 years. I think this is true even if the password is changed in another session anytime during the lifetime of the original 100 year ticket. Also, just because an arbitrary large hours parameter is set there may be some other mechanism that limits the ticket lifetime that is not documented. I think it is a bad idea to rely on long ticket lifetimes.