Home > front end >  What is the purpose of the refresh token if it can be stolen as well?
What is the purpose of the refresh token if it can be stolen as well?

Time:02-04

Main purpose is security: Shortened access token is important, because if someone stoles an expired token, then the attacker cannot use it, because it is expired.

We can obtain new access token with refresh token without the client needs to login again. Refresh tokens live longer.

I still don't get why refresh tokens was invented, because it can be stolen the same way as access token, right? If someone stoles refresh token, then the attacker gets access token as well.

CodePudding user response:

  1. Refresh tokens are being sent on the network way less than access tokens, so if your network is being sniffed, they will find the refresh token every 30mins (for example) in one request, so the window for you to be exposed is very small (you need to be sniffing in the right moment and for a long time)

  2. Refresh tokens can be revoked, so if a user's token is stolen, the user can revoke its refresh token, but with a stateless access token with a long expiration time, it's not possible to close a session

  3. If you want to store your access tokens, so they are revokable and get rid of refresh tokens, then you are not using a stateless JWT token, so you have to hit your database for each request you receive to check if the token is still valid or not.

Page link:https//www.codepudding.com/frontend/692695.html

Prev:Trying to use Image from "next/Image" throws a TypeScript error
Next:Is there a way to take a key from one dictionary and add it to another?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding