Answer the question
In order to leave comments, you need to log in
N
N
Nikita2020-07-23 22:49:16
Nikita, 2020-07-23 22:49:16
How to protect yourself from the fact that an attacker steals a refresh token?
Refresh token is stored in http only cookie. I saw a recommendation to store the refresh token in the database and compare it for equivalence with the token stored in the cookie, but in this case, what if the user, being authorized on one device, logs in on another?
2 answer(s)
@xmoonlight
Account-> Device-> Token and nothing else!
And, as Pardon Me! Where Do I Find 4giveness? , the refresh token must be changed several times per user session (activity) in a completely "transparent" (to the user) mode.
X
xmoonlight, 2020-07-24 @xmoonlight
Refresh token binding to :
1. fingerprint (device id; + refresh token binding)
2. IP/Subnet (+ refresh token binding)
3. Behavioral factor control
what to do if the user, being authorized on one device, logs in on another?I already answered here and I will repeat:
Account-> Device-> Token and nothing else!
And, as Pardon Me! Where Do I Find 4giveness? , the refresh token must be changed several times per user session (activity) in a completely "transparent" (to the user) mode.
Similar questions
V
Vadim2312017-09-18 21:01:08
How to make if the number was not an integer, gave out -1 in response?
6Reply
R
A
O
E
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question