Home > Back-end >  JWT and authentication safety/patterns
JWT and authentication safety/patterns

Time:03-09

Im building an authentincation and authorization system in javacript using JWT token basically when i login i store in httponly cookies:

  • JWT Token
  • JWT Refresh Token
  • user information (id, username, email)
  • JWT expiration (5 minutes from when it's generated)

When the JWT is still valid protected pages will do a remote check for user validity (i request an API passing the userId and the auth token as an authorization bearer) the remote check can take some time (less than a second), but every protected page shows a loading spinner while checking; i was wondering how safe is assuming the user is logged in it the JWT is still valid (or the refresh token get a new JWT) and the cookie with the user data is present. No external requests involved, unless you need to refresh the JWT

CodePudding user response:

i was wondering how safe is assuming the user is logged in it the JWT is still valid (or the refresh token get a new JWT) and the cookie with the user data is present

JWTs are not fit as a mechanism of managing sessions. A JWT has its own expiration time and this is regardless of the user's session. If you need to manage a user's session, just use mechanisms for sessions, and scrap the JWT.

  • Related