Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
J
J
jeruthadam2019-08-09 14:31:02
JSON Web Token
jeruthadam, 2019-08-09 14:31:02

How to safely use refresh token?

Scenario when a hacker steals a refresh token.
Various tutorials tell how it is not scary, because when a real user tries to use it, he will allegedly become invalid. But after using it, a hacker will have time to get a new pair of access + refresh tokens! It turns out that the hacker will have an infinitely reusable chain (like the second login), and the user will have his own new pair in parallel when he is thrown to the re-login.
Yes, I can only store 1 refresh token for 1 user, but this is nonsense - if the user wants to log in to 2 PCs? Therefore, this option does not roll. How then will you protect yourself and why does this not bother anyone?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
I
Ivan Shumov, 2019-08-09
@inoise

All systems that are on the market have an invalidation system for both access token and refresh token. This can be done by both the Identity Server administrator and the user himself. As for protection against theft, the same recommendations are here as with everything else.

Similar questions
V
Vimana2018-10-20 15:24:48
How does jwt decode work? 1Reply
J
Jedi2018-10-28 01:56:57
How to secure the API? 2Reply
G
grabbee2020-09-28 12:35:31
What is the name of the token in Federated Identity? 1Reply
L
Lehahabl2022-02-10 17:24:41
How to implement updating access and refresh tokens in next js? 0Reply
M
Max Voronov2016-07-22 17:14:30
How to properly invalidate JWT tokens? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question