I worry about a couple things. Many apps don't end other sessions when you log out or change passwords. My example above doesn't handle that.
Poorly written backends only check if a user is active during login. So a lingering session remains usable. Imagine an employee is fired, they are angry, their accounts is disabled, but they still have access. In some rare cases sessions for deleted users still work.
You'll see this most often with apps that rely on client side cookie expiration as sessions appear to expire, but they don't.
Personally, I want short sessions on things like my bank account. For stuff like HN, long is great.
Poorly written backends only check if a user is active during login. So a lingering session remains usable. Imagine an employee is fired, they are angry, their accounts is disabled, but they still have access. In some rare cases sessions for deleted users still work.
You'll see this most often with apps that rely on client side cookie expiration as sessions appear to expire, but they don't.
Personally, I want short sessions on things like my bank account. For stuff like HN, long is great.