Allowing expiration retains insecurity, while *NOT* allowing expiration makes it a trivial DoS target.