What to do with the token when authorizing in a mobile application?

E

edmondr2017-09-11 00:44:59

API

edmondr, 2017-09-11 00:44:59

There is a mobile app for iOS.
There is authorization, a hashed password + user login is sent to the server.
The password hash is checked with the value in the database, if everything is OK, the user is authorized.
In theory, it is necessary to give JWT or just some kind of token in response to successful authorization. However, in fact, the token has the property to expire (or am I mistaken here?), and the essence of the mobile application is that the user logs in only once and does not think about it again. What to do in such a situation?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander Kuznetsov, 2017-09-11
@edmondr

It is necessary to give a JWT token. It has such a thing as a lifetime - after which the token will no longer be valid. This is correct from a security point of view.
How can this be resolved. To do this, you can use such a thing as a refresh token. Those. together with the JWT, you also give the Refresh Token associated with the JWT (for example, saved in the database). Using this refresh token, you can re-request a new token for this user and continue to work calmly.