Time expiration issue in JWT

Asked 24/12, 2016 at 16:41 Answered 28/5, 2020 at 6:2

Solved authentication jwt json-web-token

As you know, there are some good reasons for using token based authentication instead of session based.

In session based, of course there is a expiration time. So if user is not active for a while, his session get expired. But before expiring, if he send request to server, his time will be extended.

There is an awesome tutorial here about JWT. I have a question about expiration time for token. Imagine we set the expiration time to 100 seconds, then we sign the token. It doesn't matter user is active or not. After 100 seconds that token will not be valid anymore. This bothers the user. Is there any way to extend the time?

Is it a true approach, or maybe I have a mistake. Any idea?

Ablebodied answered 24/12, 2016 at 16:41 Comment(0)

If I understand the question correctly, it is fairly simple to alter the expiration of a JWT token during creation...

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.

More information can be found here https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4

Basically the exp key takes a unix timestamp - set the timestamp to > 100 seconds from now and you will accomplish your goal.

To "refresh" the token your API needs a service that receives a valid, JWT and returns the same signed JWT with the updated expiration.

Curricle answered 24/12, 2016 at 16:46 Comment(5)

here is a helpful tool for generating unix timestamps as well onlineconversion.com/unix_time.htm – Curricle 24/12, 2016 at 16:51

Thank you, but I think you didn't understand my question. Let me explain more. Imagine we use session based authentication. If user refresh the page till 1 month, he never get logged out. Because in each refresh, the session expiration extends. But here, when we set the exp to 100 seconds after now, even if user is active, he will be logged out suddenly. – Ablebodied 24/12, 2016 at 18:47

You cant "set exp to 100 seconds after now" what you are saying makes no sense to me... Specify a date/time you want the token to expire and convert that to a unix time stamp it is pretty simple – Curricle 24/12, 2016 at 19:0

That's ok, It was just an example 100 seconds after now!! We convert that to a unix time stamp. What I mean is this, when user is active and sending requests, suddenly he will be logged out! Let's imagine we refresh the token in each request, how do we handle "remember me" while user is going to login? – Ablebodied 24/12, 2016 at 19:14

Thanks. And one more question. What is your idea about remember me functionality? – Ablebodied 25/12, 2016 at 7:37

Silent refresh There are 2 major problems that users of our JWT based app will still face:

Given our short expiry times on the JWTs, the user will be logged out every 15 minutes. This would be a fairly terrible experience. Ideally, we'd probably want our user to be logged in for a long time. If a user closes their app and opens it again, they'll need to login again. Their session is not persisted because we're not saving the JWT token on the client anywhere. To solve this problem, most JWT providers, provide a refresh token. A refresh token has 2 properties:

It can be used to make an API call (say, /refresh_token) to fetch a new JWT token before the previous JWT expires. It can be safely persisted across sessions on the client!

Here a brilliant exhibition in HASURA BLOG--> https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/

Trifolium answered 28/5, 2020 at 6:2 Comment(0)

-1

You didn't give further information, but I'll assume you are going to use JWT for web-browser authentication. you can save your JWT in a cookie with httpOnly and secure attribute and set cookie expiration time long enough(maybe 1 years) and inside of your JWT claims set exp property to a shorter time ( maybe 1 week or something else). now in every request the cookie will be sent to the server so you can check for expiration time. something like this :

if(decodedJwt.exp < Date.now()){
  //token is valid, do your stuff
}else {
  //token expired, regenerate it and set it to the cookie
  //also update the expire time of the cookie 
}

Gourmont answered 26/10, 2018 at 15:56 Comment(0)

Recommended topics

Hot tags