Time expiration issue in JWT

authentication jwt json-web-token
48,357

Solution 1

If I understand the question correctly, it is fairly simple to alter the expiration of a JWT token during creation...

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.

More information can be found here https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4

Basically the exp key takes a unix timestamp - set the timestamp to > 100 seconds from now and you will accomplish your goal.

To "refresh" the token your API needs a service that receives a valid, JWT and returns the same signed JWT with the updated expiration.

Solution 2

Silent refresh There are 2 major problems that users of our JWT based app will still face:

Given our short expiry times on the JWTs, the user will be logged out every 15 minutes. This would be a fairly terrible experience. Ideally, we'd probably want our user to be logged in for a long time. If a user closes their app and opens it again, they'll need to login again. Their session is not persisted because we're not saving the JWT token on the client anywhere. To solve this problem, most JWT providers, provide a refresh token. A refresh token has 2 properties:

It can be used to make an API call (say, /refresh_token) to fetch a new JWT token before the previous JWT expires. It can be safely persisted across sessions on the client!

Here a brilliant exhibition in HASURA BLOG--> https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/

Share:
48,357
Vahid Najafi
Author by

Vahid Najafi

Full-stack developer. Tech lead at WebCentriq

Updated on July 09, 2022

Comments

  • Vahid Najafi
    Vahid Najafi almost 2 years

    As you know, there are some good reasons for using token based authentication instead of session based.

    In session based, of course there is a expiration time. So if user is not active for a while, his session get expired. But before expiring, if he send request to server, his time will be extended.

    There is an awesome tutorial here about JWT. I have a question about expiration time for token. Imagine we set the expiration time to 100 seconds, then we sign the token. It doesn't matter user is active or not. After 100 seconds that token will not be valid anymore. This bothers the user. Is there any way to extend the time?

    Is it a true approach, or maybe I have a mistake. Any idea?

  • Maxwelll
    Maxwelll over 7 years
    here is a helpful tool for generating unix timestamps as well onlineconversion.com/unix_time.htm
  • Vahid Najafi
    Vahid Najafi over 7 years
    Thank you, but I think you didn't understand my question. Let me explain more. Imagine we use session based authentication. If user refresh the page till 1 month, he never get logged out. Because in each refresh, the session expiration extends. But here, when we set the exp to 100 seconds after now, even if user is active, he will be logged out suddenly.
  • Maxwelll
    Maxwelll over 7 years
    You cant "set exp to 100 seconds after now" what you are saying makes no sense to me... Specify a date/time you want the token to expire and convert that to a unix time stamp it is pretty simple
  • Vahid Najafi
    Vahid Najafi over 7 years
    That's ok, It was just an example 100 seconds after now!! We convert that to a unix time stamp. What I mean is this, when user is active and sending requests, suddenly he will be logged out! Let's imagine we refresh the token in each request, how do we handle "remember me" while user is going to login?
  • Vahid Najafi
    Vahid Najafi over 7 years
    Thanks. And one more question. What is your idea about remember me functionality?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

When is JWTSecurityTokenHandler.ValidateToken() actually valid?
How to check auth token at entry point of flutter app
How to make JWT cookie authentication in Laravel
Where to store JWT Token in .net core web api?
NestJS jwt-passport Authentication
Android refresh token
passport-jwt 401 Unauthorized
How should I implement 'Token Based Authentication' to a set of web APIs in a secure way using PHP and MySQL (without using OAuth)?
How to obtain JWKs and use them in JWT signing?
Nodejs/mongodb- Checking if a user has Admin privileges (token based auth)