I don't think my argument has changed a whit - Short sessions cause more pain than they solve. They are a bad security tool for almost all products.
Arguing that short sessions are bad is not the same as arguing that rotation never has its place. Rotation can provide some benefits.
My argument is that EXCESSIVE rotation (aka: short sessions, the whole freaking conversation) is folly.
It's a bad decision usually implemented without thought or understanding (it's on the checklist...), which has a high cost to users, and actively degrades the product.
In return for the costs of short sessions, what are you proposing that your users gain?
Because personally, logging in every 15 minutes for the rest of my life is a god damn travesty of an exchange to make to cover me on the one case where my laptop goes missing. Especially since that's not a very common vector for account theft. It's SO much more likely someone just calls the help center and claims to be me and gets in just fine.
The user may or may not know of theft or leak.
And even if they are aware, they may not know remember every remote system they were logged into.
> Rotate it after 30 days if you want (or 5 days, or 1 day - just don't do it every 15 minutes).
So we've gone from arguing that short sessions doesn't work, to arguing that it works for such a large % of the cases that it could be relaxed.