CODEWITHSUNDEEP
phplaraveljwtaccess-token
TharakaNirmana
TharakaNirmana

Reputation: 10353

JWT Token Expired PHP Laravel

We have three platforms : PHP backend, android and iOS apps. iOS users are unable to communicate with the backend after few days of using the app.

After debugging I found out the issue is a 401, Token Expired, thrown from JWT.

Sample Request:

URL : https://xx.xx.xxx/api/v1/xx
header : Accept: application/json
parameters : ["userId": xx, "countryId": 0, "deviceType": 1, "pageNo": 1, "token": “xxx”, "deviceToken": “xx”, "shuffleId": "", "action": 1, "buzcategory": "", "keyWord": "", "socialMediaId": "", "totalCount": 100, "productType": "", "businessName": "", "cityId": 0]

Sample Response:

Response : {
  "error" : "Token is Expired",
  "status" : 401
}

I would like to know if making JWT_TTL and JWT_REFRESH_TTL null will fix the issue in jwt.php like:

'refresh_ttl' => env ('JWT_REFRESH_TTL', Null),
'ttl' => env ('JWT_TTL', NULL),
 'required_claims' => [
        'iss',
        'iat',
        // 'exp',
        'nbf',
        'sub',
        'jti',
    ],

Upvotes: 0

Views: 620

Answers (1)

cetver
cetver

Reputation: 11829

The null value will fix a problem, but is not particularly recommended.

I advice to implement the "refresh token mechanism" on the app side if server response is "Token is Expired": if an attacker gets access to the infinite jwt token, he can use API features, even if security hole will fixed in next app version.

JWT_TTL

/*
|--------------------------------------------------------------------------
| JWT time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token will be valid for.
| Defaults to 1 hour.
|
| You can also set this to null, to yield a never expiring token.
| Some people may want this behaviour for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
|
*/

'ttl' => env('JWT_TTL', 60),

JWT_REFRESH_TTL

/*
|--------------------------------------------------------------------------
| Refresh time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token can be refreshed
| within. I.E. The user can refresh their token within a 2 week window of
| the original token being created until they must re-authenticate.
| Defaults to 2 weeks.
|
| You can also set this to null, to yield an infinite refresh time.
| Some may want this instead of never expiring tokens for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
|
*/

'refresh_ttl' => env('JWT_REFRESH_TTL', 20160),

Upvotes: 1

Related Questions