Quote:
Originally Posted by suzzer99
Yes you can do that. But you still have to keep track of when a user hasn't done anything for 15 minutes to know when to blacklist their token, AND reset that timer to 15 minutes any time the user accesses any back-end resource. Do you guys do that too somehow?
I am sure theres a ton of ways to do this. Have a master expiration time (the longest a session can possibly last, say an hour of constant activity) and a short exp time (15 mins).
Each request check that both exp times are valid, if they are, serve the request and refresh the token as well (change the short exp time for 15 mins later).
Quote:
This is something that comes out of the box with a J2EE server, .NET, Express session store, and I'm guessing PHP and Rails have similar functionality.
Then use one of those lol. Spoiler alert: Session based security was wildly mishandled as well, security is hard.
Quote:
Use case: let's say you have a bank website. You have some Javascript that warns a user their session is about to expire, then if they do nothing it triggers a back end logout. This will add their token to the blacklist. But, what if they already closed their browser 10 minutes ago? Now they could re-open it, try to access a back end resource, and get right through assuming the JWT token hadn't expired yet.
The token expiration should handle this for you, a black list is just for when someone clicks a log out button or reports a stolen token.
Quote:
Even if you set the JWT token to expire in 15 minutes that still is a problem. Because if the user makes a request and the token is expired - the back end doesn't know if they had just made a request a minute before. So the back end won't know if it should refresh the user's token in the background, or force them to log in again.
The concept of a "server knowing" is not what jwts are for. If you want to store session information and state somewhere, do it. There's no need to be stateless just bc its cool if you don't want to. However, the jwt setting a specific exp time each time its generated is doing this for you. It only forces a login when its expired or blacklisted, how you change and alter the exp time on each request is up to you.
Quote:
Unless you're somehow resetting the token expiration on every request. No one does that right?
No one? You could do that. You can do whatever you want. Most people likely just set an exp time to 60 days and store it in local storage and go on about their days. Don't be most people.
Quote:
I feel like JWT works great for apps like FB where you just stay logged on forever. But for sensitive apps where you want to boot people after X minutes of inactivity - maybe not so much. And also there's the problem if you want to put sensitive data in the user session. You can't do it on the client side.
No, jwts were created for very short applications. Staying logged in longer times is a harder problem with jwts and takes some finessing and research. Mostly I would just say focus on your use cases and stop worrying about whats "right". Just make sure you A) dont have a jwt in the wild that can be used a long time after its generation and B) dont store anything secret in a browser. Ez pz