Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it necessary to refresh tokens every request?

I'm here because I wasn't satisfied with what I found on google.

I am generally building SPA's, so for me the process was simple: At succesful login generate a jwt and use it for every request I make from the client.

Someone told me that I should refresh that token and send back a new one for every request I make. Does this make sense for me to do? I mean, if someone is trying to hack me, sniffing the requests will give the hacker the same tokens I receive, so what's the catch?

I mean, what if I launch a request before another one is finished? Teoretically I would send the same token twice and one of the requests will be rejected.

How is this correctly handled? I'm sure there is more to this than what I could think myself.

like image 843
John Avatar asked May 09 '17 18:05

John


People also ask

How often should you refresh token?

The most secure option is for the authorization server to issue a new refresh token each time one is used. This is the recommendation in the latest Security Best Current Practice which enables authorization servers to detect if a refresh token is stolen.

Is refresh token mandatory?

Yes, you need a separate service that issues and refreshes token. It won't update the expiration of the existing JWT Token.

How long should refresh tokens last?

The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.


1 Answers

It is a compromise between security and convenience.

No, you don't need to refresh the token on each request. But you definitely want your JWTs to expire at some point. This is to protect you from JWT theft where malicious user could use stolen access token to gain access to target resource indefinitely.

Here is what you can do to handle token expiration:

  1. Implement a refresh token flow. You will issue an access JWT and a refresh JWT when authenticating. Once access JWT has expired you will use refresh JWT to obtain new access JWT.
  2. Implement sliding expiration. After the half of the JWT validity time has expired you would issue a new JWT. An example of it can be found here. I would recommend to include a deadline to when a token can be expired. For example, initial token validity is for 20 minutes and deadline is 8 hours. After 8 hours of sliding expiration you will stop issuing new tokens.
like image 134
Marko Vodopija Avatar answered Oct 10 '22 21:10

Marko Vodopija