On 30.04.20 01:15, Bernd Zeimetz wrote: > > On 4/28/20 3:20 PM, Thomas Goirand wrote: > >> That's not the case. An MITM attack could gain a session and maintain it >> open, while the end user would just notice "oh shit, I miss-typed the >> 2FA numbers, let's try again". Then the only thing the attacker needs to >> do is keep the session open to not loose access... > > I hope you realize that no session is open forever.
Just for giggles: [longest TCP connection](https://ask.slashdot.org/comments.pl?sid=1462&cid=1673396)