The current lifetime of the session for WalletConnect is 24 hours. This is currently only limited by the bridge implementation which discards the session after 24 hours. This needs to be handled on both browser and mobile side.
There are some concerns regarding how secure it is to persist the session data (session id, shared key and bridge url) on the browser local storage. Some suggestions included using iframes to sandbox this data but as mentioned by Taylor with her experience with MyCrypto, it’s not a secure approach.
Source of MyCrypto security audit: https://github.com/MyCryptoHQ/MyCrypto/wiki/Audit
There was also the suggestion for looking into U2F implementations used by Hardware wallets to learn how they secure their communications
For non-whitelisted origins, messages pass through an iframe trampoline, which must be loaded manually from the website, with the source chrome-extension://pfboblefjcgdjicmnffhdgionmgcdmne/u2f-comms.html. Since this iframe runs under a different origin, its scripts will not have access to the context of the containing web page. However, the web page can message it by creating a MessageChannel to obtain two entangled MessagePorts, and delivering one of them to the iframe via a postMessage with the body “init”.
As a short-term approach this session data could be simply stored on local storage for the time being for the Beta version of the WalletConnect standard