So up until now I've been generating JWT with the userId and storing it in a cookie with 2 months life time, and now I've heard and seen more and more companies and APIs using refresh-access tokens instead of one single token, usually the refresh token expires after a really long time (6 months to few years) and sometimes it never expires (unless the user "logout everywhere" or resets the password etc..), and the access token expires after like 15 - 25 minutes and you of course can generate new one using the refresh token...My questions are:Why use access-refresh over single access token?, if someone manages to steal the access token they're probably capable of stealing the refresh token as well (with XSS, or un-secure cookies etc...)And I'm aware that some companies even put some user data on the access token (which is expires and gets deleted from the cookies after 15-25 minutes) like email, username, name etc.. which then on the backend that JWT payload will allow the backend to not make a call to the DB to fetch that data or verify the existence of the user (like you would when putting only the userId in the payload)Thanks in advance :)
Submitted September 27, 2020 at 12:55PM by s_trader
No comments:
Post a Comment