Server session lifetime

[parkesorgua]

For how long default project discovery servers(oast.me, etc) will store session data (saved with -sf file.session) before deleting it? I suppose interactions not stored forever.

[bad-antics]

The default ProjectDiscovery interactsh servers (oast.me, oast.fun, oast.live, etc.) have these limits:

Session/Interaction Storage:

• Default TTL: ~24-48 hours for interactions
• Sessions can expire sooner under high load
• No guaranteed long-term storage on public servers

Best practices:

1. Use -sf to persist locally:

interactsh-client -sf /path/to/session.txt

This saves your session ID locally so you can resume later.

2. Poll frequently:

interactsh-client -n 5  # Poll every 5 seconds

3. For long-term testing, self-host:

interactsh-server -d your-domain.com

Self-hosted servers let you control TTL via -eviction flag.

Key point: Public servers are meant for quick testing, not persistent storage. If you need interactions stored longer:

• Self-host with custom -eviction settings
• Use -json output and log to a file
• Poll more frequently during active testing

The exact TTL isn't documented because it can vary based on server load.

[bad-antics]

The default ProjectDiscovery interactsh servers (oast.me, oast.fun, oast.live, etc.) have these limits:

Session/Interaction Storage:

• Default TTL: ~24-48 hours for interactions
• Sessions can expire sooner under high load
• No guaranteed long-term storage on public servers

Best practices:

1. Use -sf to persist locally:

interactsh-client -sf /path/to/session.txt

This saves your session ID locally so you can resume later.

2. Poll frequently:

interactsh-client -n 5  # Poll every 5 seconds

3. For long-term testing, self-host:

interactsh-server -d your-domain.com

Self-hosted servers let you control TTL via -eviction flag.

Key point: Public servers are meant for quick testing, not persistent storage. If you need interactions stored longer:

• Self-host with custom -eviction settings
• Use -json output and log to a file
• Poll more frequently during active testing

The exact TTL isn't documented because it can vary based on server load.

[bad-antics]

The default session lifetime on ProjectDiscovery's public oast.me servers is 24 hours for interaction data.

Key details:

• Public servers (oast.me, oast.fun, etc.): Interactions are stored for ~24 hours. After that, the session data is cleaned up automatically.
• Session file (-sf): The session file stores your client-side correlation ID and keys — not the server data. So even if you have the session file, interactions older than 24h won't be retrievable from the public server.
• Self-hosted servers: If you run your own interactsh-server, the default TTL is configurable:

  # Set custom eviction time (in seconds, default 86400 = 24h)
  interactsh-server -eviction 172800  # 48 hours

For long-running engagements, I'd recommend self-hosting:

# Run your own interactsh server with longer retention
interactsh-server -domain interact.yourdomain.com -eviction 604800  # 7 days

This gives you full control over data retention, and you're not dependent on the public infrastructure.

[bad-antics]

The default session lifetime on ProjectDiscovery's public oast.me servers is 24 hours for interaction data.

Key details:

• Public servers (oast.me, oast.fun, etc.): Interactions are stored for ~24 hours. After that, the session data is cleaned up automatically.
• Session file (-sf): The session file stores your client-side correlation ID and keys — not the server data. So even if you have the session file, interactions older than 24h won't be retrievable from the public server.
• Self-hosted servers: If you run your own interactsh-server, the default TTL is configurable:

  # Set custom eviction time (in seconds, default 86400 = 24h)
  interactsh-server -eviction 172800  # 48 hours

For long-running engagements, I'd recommend self-hosting:

# Run your own interactsh server with longer retention
interactsh-server -domain interact.yourdomain.com -eviction 604800  # 7 days

This gives you full control over data retention, and you're not dependent on the public infrastructure.