Do I need to update tokens every request?
I'm here because I'm not happy with what I found on google.
I was building a SPA in general, so the process was simple for me: on successful login, create a jwt and use it for every request I make from a client.
Someone told me that I have to refresh this token and send a new one for every request I make. Does this make sense to me? I mean, if someone tries to hack me, sniffing the requests will give the hacker the same tokens I receive, so what's the catch?
I mean, what if I run a query before another one completes? In theory, I would send the same token twice and one of the requests would be denied.
How is this handled correctly? I'm sure there is more to this than what I could have imagined.
source to share
This is a trade-off between safety and convenience.
No, you don't need to refresh the token on every request. But you definitely want your JWTs to expire at some point. This should protect you from JWT theft, where an attacker can use a stolen access token to gain unrestricted access to the target resource.
Here's what you can do to deal with token expiration:
- Implement refresh token token . You will issue the access JWT and update the JWT when authenticated. After the JWT access has expired, you will use the JWT update to get new JWT access.
- Implementation of the validity period. After the half of the JWT expires, you will release a new JWT. An example of this can be found here . I would recommend including a deadline for when the token may have expired. For example, the first token expires in 20 minutes and expires in 8 hours. After 8 hours of creep, you will stop issuing new tokens.
source to share