Bbit
Reputation: 442
unchecked remember me functionality
I have a website with jwt and refresh tokens. The jwt has a very short lifetime, something like 5 minutes and the refresh token lifetime is set to something like 6 months when the remember me is checked.
I want to know what is the best solution for when the remember me is unchecked. Should the refresh token simply have a shorter lifetime? Like a few hours? Or maybe on leaving the website I should clear the local storage with the jwt/refresh token data? Is there any other better solution?
Upvotes: 1
Views: 228
Answers (1)
Dominic Panarello
Reputation: 153
Your refresh token should be configured as the maximum intended lifetime of the user's session. When they don't want to be remembered, this should mean:
- Any cookies your app/server creates should be session cookies
- When the user explicitly logs out, the user's session should be fully cleared
- Your refresh tokens should last as long as a standard user session, eg. for business apps, the length of a standard business day (12 hours)
Upvotes: 1
Related Questions
- What is meaning of "Remember Me" functionality on login page?
- Proper way to use "Remember me" functionality in PHP
- How to handle "Remember me" in the Asp.Net Membership Provider
- how do i keep the session permanent with servicestack
- remove remember me check box from asp:login control
- How to implement remember me when the cookie is disabled
- Should we deprecate the "Remember Me" checkbox and start assuming?
- Avoiding Remember me security issues
- remember me in login form
- Using "Remember Me" functionality for authentication in .NET 2.0