Hello, I'm using Iron for a less conventional method to encrypt sensitive information in my database. Simply use seal() and unseal() with a separate private password, and store the resulting string in the database. My concern is, if the data is persistent and untouched for a long period of time, will it become unreadable to the unseal() function?

I have tested creating seals that last 60 seconds, and they unseal okay after over a minute.

I have done some experimenting, and I tried setting TTL to 1. The seals were able to be opened for at least a few minutes, which doesn't appear to be right. Also, I am getting just an empty object with no errors when attempting to unseal an expired token.

Are there ways to access the contents of a seal after expiry? I want to use this for storage of sensitive information, but want to insure that I can bypass the expiration of the seal.

There's a small window of time during which a seal will be able to be decoded even if expired (60s I think), this is to acknowledge any time delays/misconfiguration in servers/clients.

As for your usecase, I would not recommend using iron-session for that, this is a session library, it has not been reviewed for heavy security usages like yours. And I have no idea if you can decode once the TTL has passed. You should use something else I think.

Good luck.

Thanks!