Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Handling expiry/"remember me" functionality with JWT

Conceptually, I really like JWT as it is in line with the statelessness of REST etc (no state saved server-side, all relevant data is contained in the token).

What I am unsure about: how would you handle token expiry when not connected (ie, a "remember me" functionality)?

There's an emerging coverage of JWT on the web, but I couldn't find anyone that answered the expiry question yet.

Clarification: I am not asking how to handle a token soon-to-expire, but what to do when a token has already expired (user closed website/app for a while). The simplest solution that comes to my mind is caching the user's credentials, which is rather insecure.

like image 753
arnuschky Avatar asked May 12 '14 07:05

arnuschky


People also ask

How do I handle JWT expiry?

In short, you need to use REFRESH_TOKEN when ACCESS_TOKEN expires to get a new ACCESS_TOKEN. JWT has two kind of tokens: ACCESS_TOKEN and REFRESH_TOKEN.

How can I get expiry from JWT token?

You can use a lib(like jwt_decode) to decode your JWT token, where it's most likely contains an expiration timestamp that you can check(compare it with the current timestamp for this moment) and if it exceeded(expired) just delete it from local storage and redirect user to login page.

How JWT token expiry works?

The API returns a short-lived token (JWT), which expires in 15 minutes, and in HTTP cookies, the refresh token expires in 7 days. JWT is currently used for accessing secure ways on API, whereas a refresh token generates another new JWT access token when it expires or even before.

How do you implement Remember Me feature?

Create a +16 byte token from a random source, hash it, and save the hash + account id in the database. Then send the token to the user (base64 encoded) in a HTTPS + httpOnly cookie (so Javascript can't access/steal it).


1 Answers

I am not so sure if I follow but I will write what I think.

Imagine the token as a hotel card, you pay in advance for 5 days (remember me set to expire on 5 days). I can enter the building, garage, room, etc. within those 5 days, after those 5 days, it won't work anymore.

What to do when token has already expired? Nothing at all.

Imagine I pay those 5 days and meh, I had an urgency and I go back home (with the card on the pocket). The hotel doesn't care at all, when the 5 days pass, the card is just an useless piece of plastic and if you try to use it on the hotel, it will do nothing.

So back to web development. If you offer a remember me service, you can put an expiry date to let's say 7 days. As long as the user has the token, he can access the service without any problem. If he loses the token, he needs to login again. If he uses the token and it have expired, he will need to login again too.

If he login, he gets a token for 7 days, if he doesn't use it anymore and after 20 days he comes again, he would need to login again, the server will just decline your petitions until you do so.

What I would do if you use something like angular on the frontend is to check the token validation on startup so you can have a nice user experience.

What I don't understand about your question is de caching thing though.

like image 156
Jesus Rodriguez Avatar answered Sep 17 '22 06:09

Jesus Rodriguez