Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Time expiration issue in JWT

Tags:

authentication

jwt

json-web-token

As you know, there are some good reasons for using token based authentication instead of session based.

In session based, of course there is a expiration time. So if user is not active for a while, his session get expired. But before expiring, if he send request to server, his time will be extended.

There is an awesome tutorial here about JWT. I have a question about expiration time for token. Imagine we set the expiration time to 100 seconds, then we sign the token. It doesn't matter user is active or not. After 100 seconds that token will not be valid anymore. This bothers the user. Is there any way to extend the time?

Is it a true approach, or maybe I have a mistake. Any idea?

like image 590
Vahid Najafi Avatar asked Dec 24 '16 16:12

Vahid Najafi

People also ask

How can JWT token expire time?

You can use a lib(like jwt_decode) to decode your JWT token, where it's most likely contains an expiration timestamp that you can check(compare it with the current timestamp for this moment) and if it exceeded(expired) just delete it from local storage and redirect user to login page.

What is the max expiration time accepted by JWT tokens?

The API returns a short-lived token (JWT), which expires in 15 minutes, and in HTTP cookies, the refresh token expires in 7 days.

What format is the EXP expiration time claim in a JWT?

A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.

How do you check if a JWT is expired?

verify method to a function that returns a promise and assign it to jwtVerifyAsync . Then we call jwtVerifyAsync with the token and the token secret to check if the token is valid. If it's expired, then it's considered invalid and an error will be thrown.

1 Answers

Silent refresh There are 2 major problems that users of our JWT based app will still face:

Given our short expiry times on the JWTs, the user will be logged out every 15 minutes. This would be a fairly terrible experience. Ideally, we'd probably want our user to be logged in for a long time. If a user closes their app and opens it again, they'll need to login again. Their session is not persisted because we're not saving the JWT token on the client anywhere. To solve this problem, most JWT providers, provide a refresh token. A refresh token has 2 properties:

It can be used to make an API call (say, /refresh_token) to fetch a new JWT token before the previous JWT expires. It can be safely persisted across sessions on the client!

Here a brilliant exhibition in HASURA BLOG--> https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/

like image 102
Frank Avatar answered Oct 02 '22 11:10

Frank
Sign in to Comment

Related questions

Stateless RESTful API and 3rd party authentication
Sign in with Mongo shell without having password shown?
Change design of Identity server V3 login page
Cookie Authentication ASP.NET Core
How do identity server validate the token at API or when we use Authorize attribute?
How to pass username and password in TeamCity REST API
Laravel 4 Auth::attempt() always returns false
How to wrap Actions (in any order) when using Play's ActionBuilder?
What is the best authentication method for sails.js?
Slim 3 Middleware Redirect
Security against CSRF attacks via GET requests?
AuthenticationBuilder does not contain a definition for AddAzureAd
How to redirect to login page for restricted pages in next.js?
Anonymous access and NTLM authentication in IIS
Where is .ASPXAUTH cookie
nginx: auth_basic and php
CakePHP 2.x Auth Condition
Spring Security using both username or email
android sdk prompt toast message in account settings
How to invalidate .AspNet.ApplicationCookie after Adding user to Role using Asp.Net Identity 2?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!