I gave session tokens a 24-hour expiry in Open Relay

I gave session tokens a 24-hour expiry in Open Relay The security audit for Open Relay ( oly ) had one finding that bothered me more than the rest: session tokens never expired . Once you authenticated, your token lived in an in-memory HashSet until the daemon restarted. That could be days. If a token leaked from a browser cookie, proxy log, or Referer header, it was valid forever. So I fixed it. What changed The token store moved from a HashSet<String> to a HashMap<String, TokenEntry> , where each entry tracks its issued_at timestamp. Every authentication check now validates the token age against a configurable TTL — 24 hours by default . Expired entries get cleaned up lazily during the next auth check, so there's no background thread and no unbounded memory growth. Why this matters A leaked token has a natural death date. Long-running daemons don't accumulate unlimited token entries from repeated logins. It's backward-compatible: tokens issued before the upgrade work until the TTL na