Answer the question
In order to leave comments, you need to log in
S
S
Sport-code2019-03-16 09:46:41
Sport-code, 2019-03-16 09:46:41
How to determine the lifetime of a JWT token on the client?
Hello!
Please tell me how to determine the lifetime of the token (JWT-token and JWT-passport) on the client, if the time is up, I store it in localstorage?
I have an online store, I load all the goods into Vuex when loading the site, i.e. I contact the server once.
I can't figure out how to correctly check the token if I don't contact the server.
If the time is up, then it must be deleted.
5 answer(s)
@Kozack Vue.js
@kirill-93
@deliro
@Pinsky
A
Alex, 2019-03-16 @Kozack Vue.js
- Together with the token, the lifetime of the token should be returned.
- If this is not the case, then at the time of receiving the token, it is worth saving the time of its creation and the lifetime.
- If the lifetime is unknown to you, and the server does not provide any tool for checking the token, then you should write a wrapper around the network interface: after calling the API, if the server returns an error token, get a new one and repeat the request.
W
WebDev, 2019-03-16 @kirill-93
You have a token lifetime, check it in router.beforeEach. Do not need anything else.
Alex Alexander Drozdov What are you talking about?
If an attacker changes the field with the lifetime of the token on the client, the token will not "live" any longer and the server will still fail and the request will be rejected.
Pinging the server in addition to the fact that you have the lifetime of the token on your hands is some kind of wildness.
R
Roman Kitaev, 2019-03-16 @deliro
The lifetime on the client of the token itself does not need to be checked:
1. JWT can be httpOnly, otherwise it is a direct blow to security in the form of the ability to script this token with XSS
2. The user's time on the PC may differ from the server time. Let's say the JWT lifetime is 5 minutes, and the user's clock is 6 minutes faster. This difference is not enough for SSL not to be installed, but it is enough for your script to forever loop in an attempt to get a "fresh" token, thinking that it is stale
. Therefore, you do this:
After successfully receiving the JWT, you put the user's current time in localStorage (neglecting the difference between the actual expiration time and the execution time of your function - it most likely will not exceed the user's ping + 100ms). You interrupt each request with some https://github.com/axios/axios#interceptorsIn this "breaker" you look in localStorage and if 50-80% has passed (here we leave a margin, because we neglected the difference above + the request itself may take some time [for example, it may be network delays, or the request will lie in the queue until workers are busy or some backend requests to the database will occur before JWT validation] + the user’s clock can go faster than the server clock and give an extra couple of microseconds) JWT lifetime - you first send a request to refresh this token, and then you send the request itself.
A
Alexander Sharihin, 2016-11-23 @Pinsky
There are more than you can imagine
For example, https://github.com/nikic/FastRoute
Similar questions
K
M
V
C
N
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question