Security token expiration

Question

I am implementing a security token feature in my application. You can specify an expirytime and/or max number of uses.

If both are specified then both conditions are checked, if either one is specified then just that condition is checked.

My question is, how should i handle the scenario where a token exists without expiry time or maxuses?

Should the user be authenticated, not authenticated or should an exception be thrown.

if (this.ExpireTime.HasValue && this.MaxUses.HasValue)
    retval = DateTime.Now < this.ExpireTime.Value && this.Counter < this.MaxUses.Value;
else if (this.ExpireTime.HasValue)
    retval = DateTime.Now < this.ExpireTime.Value;
else if (this.MaxUses.HasValue)
    retval = this.Counter <= this.MaxUses.Value;
else
{
   throw new ApplicationException("Invalid AuthToken: ExpireTime And MaxUses are null") 
}

Answer 1

You need to choose what it means to not expire. Given the purpose of your application and its use cases, should the token be valid forever? Or would it be more appropriate to create a max expiration/max uses?

Answer 2

If not all of the information exists your "invalid authtoken" exception should be thrown. A token should always expire, for instance if a session id doesn't expire its a violation of CWE-613. The security behind these systems is a Cryptographic Nonce, if they do not expire then eventually an attacker can guess its value.