64
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 17 Feb 2026
64 points (95.7% liked)
Asklemmy
53102 readers
340 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy ๐
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 6 years ago
MODERATORS
It sounds like you are assuming that the wallet needs to re-validate each session and I don't see why this would be needed. Each user account would just need to validate their age once then the website operator could store this in their database. If you've validated once you can be sure the user keeps being old enough.
@SirHaxalot@nord.pub @asklemmy@lemmy.ml
One scenario I can imagine of is an age check from someone who's still legally a minor (I'm not sure whether the age check would check for minors faces, I can think of platforms intended to minors, e.g. schools and gaming, having to check if the user is not an adult, but it's just my speculation), who tries again some time later when they're legally into adulthood. If the token isn't validated, they'd be stuck into a perpetual "minor" label.
Sure, a token could be not returned by the wallet if the age check fails (i.e. if the user is a minor), but the associated credentials (email, phone number, username) would be tied, database-wise, to a failed age check attempt, and those teens will one day become adults, and a system shouldn't lock them out forever. Hence the need for re-validation.
Also, depending on how the token is built and stored, it may or may not have an expiration timeout. In computing systems, it's common practice for tokens and sessions to have an expiration date (just like logged in sessions will eventually log out and ask for logging in again). It's different from having to do the age check again: it's simply about renewing the token that identifies someone as adult, someone who already did the age check, with the wallet simply returning the renewed token without demanding the user to go through the age check flow again.
Another scenario: imagine a relative's phone being pick-pocketed/stolen by the kid during late night, and the kid somehow knows the relative's password/pin/pattern or even uses the relative's finger to the biometric sensor to unlock it, all during the relative's sleep. Then they head into the "forbidden fruit website", which happens to be accessed by the relative as well, so it means that the website is already authorized with the relative's wallet. I can see govs foreseeing this situation and requiring that websites always re-validate the authorization before effectively letting the user into the website's "adult" content.
I believe that it's specified in the architectural reference framework that it has to re-validate every session, to ensure that the token hasn't been revoked. I'd be happy to be corrected, though!
@yelling_at_cloud@programming.dev @SirHaxalot@nord.pub @asklemmy@lemmy.ml
Exactly! This, too. I forgot to mention it in the reply I just sent to SirHaxalot. And given the GDPR "Right to be forgotten", an authorization must be revocable, so this means an authorization must be re-validated, even if this doesn't necessarily mean having to go through the age check flow all over again.