Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Time expiration issue in JWT

As you know, there are some good reasons for using token based authentication instead of session based.

In session based, of course there is a expiration time. So if user is not active for a while, his session get expired. But before expiring, if he send request to server, his time will be extended.

There is an awesome tutorial here about JWT. I have a question about expiration time for token. Imagine we set the expiration time to 100 seconds, then we sign the token. It doesn't matter user is active or not. After 100 seconds that token will not be valid anymore. This bothers the user. Is there any way to extend the time?

Is it a true approach, or maybe I have a mistake. Any idea?

like image 590
Vahid Najafi Avatar asked Dec 24 '16 16:12

Vahid Najafi


People also ask

How can JWT token expire time?

You can use a lib(like jwt_decode) to decode your JWT token, where it's most likely contains an expiration timestamp that you can check(compare it with the current timestamp for this moment) and if it exceeded(expired) just delete it from local storage and redirect user to login page.

What is the max expiration time accepted by JWT tokens?

The API returns a short-lived token (JWT), which expires in 15 minutes, and in HTTP cookies, the refresh token expires in 7 days.

What format is the EXP expiration time claim in a JWT?

A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.

How do you check if a JWT is expired?

verify method to a function that returns a promise and assign it to jwtVerifyAsync . Then we call jwtVerifyAsync with the token and the token secret to check if the token is valid. If it's expired, then it's considered invalid and an error will be thrown.


1 Answers

Silent refresh There are 2 major problems that users of our JWT based app will still face:

Given our short expiry times on the JWTs, the user will be logged out every 15 minutes. This would be a fairly terrible experience. Ideally, we'd probably want our user to be logged in for a long time. If a user closes their app and opens it again, they'll need to login again. Their session is not persisted because we're not saving the JWT token on the client anywhere. To solve this problem, most JWT providers, provide a refresh token. A refresh token has 2 properties:

It can be used to make an API call (say, /refresh_token) to fetch a new JWT token before the previous JWT expires. It can be safely persisted across sessions on the client!

Here a brilliant exhibition in HASURA BLOG--> https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/

like image 102
Frank Avatar answered Oct 02 '22 11:10

Frank