Reputation: 454
JWT and authentication safety/patterns
Im building an authentincation and authorization system in javacript using JWT token basically when i login i store in httponly cookies:
- JWT Token
- JWT Refresh Token
- user information (id, username, email)
- JWT expiration (5 minutes from when it's generated)
When the JWT is still valid protected pages will do a remote check for user validity (i request an API passing the userId and the auth token as an authorization bearer) the remote check can take some time (less than a second), but every protected page shows a loading spinner while checking; i was wondering how safe is assuming the user is logged in it the JWT is still valid (or the refresh token get a new JWT) and the cookie with the user data is present. No external requests involved, unless you need to refresh the JWT
Upvotes: 0
Views: 270
Answers (1)
Reputation: 12342
i was wondering how safe is assuming the user is logged in it the JWT is still valid (or the refresh token get a new JWT) and the cookie with the user data is present
JWTs are not fit as a mechanism of managing sessions. A JWT has its own expiration time and this is regardless of the user's session. If you need to manage a user's session, just use mechanisms for sessions, and scrap the JWT.
Upvotes: 0
Related Questions
- Authentication token in React.js
- How to do JWT authentication with react?
- Proper way to use JWT Auth in React
- Secure JWT token handling in React
- Guidelines to build a secure JWT authentication process?
- Jwt authentication on node-js and react -js
- authentication log in form with jwt and react
- React JS How to handle authentication
- Is it really safe to authenticate JWT token from React frontend?
- Handle JWT Authentication with React