Time expiration issue in JWT

Question

As you know, there are some good reasons for using token based authentication instead of session based.

In session based, of course there is a expiration time. So if user is not active for a while, his session get expired. But before expiring, if he send request to server, his time will be extended.

There is an awesome tutorial here about JWT. I have a question about expiration time for token. Imagine we set the expiration time to 100 seconds, then we sign the token. It doesn't matter user is active or not. After 100 seconds that token will not be valid anymore. This bothers the user. Is there any way to extend the time?

Is it a true approach, or maybe I have a mistake. Any idea?

Answer 1

If I understand the question correctly, it is fairly simple to alter the expiration of a JWT token during creation...

The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.

More information can be found here https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4

Basically the exp key takes a unix timestamp - set the timestamp to > 100 seconds from now and you will accomplish your goal.

To "refresh" the token your API needs a service that receives a valid, JWT and returns the same signed JWT with the updated expiration.

Answer 2

Silent refresh There are 2 major problems that users of our JWT based app will still face:

Given our short expiry times on the JWTs, the user will be logged out every 15 minutes. This would be a fairly terrible experience. Ideally, we'd probably want our user to be logged in for a long time. If a user closes their app and opens it again, they'll need to login again. Their session is not persisted because we're not saving the JWT token on the client anywhere. To solve this problem, most JWT providers, provide a refresh token. A refresh token has 2 properties:

It can be used to make an API call (say, /refresh_token) to fetch a new JWT token before the previous JWT expires. It can be safely persisted across sessions on the client!

Here a brilliant exhibition in HASURA BLOG--> https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/

Answer 3

You didn't give further information, but I'll assume you are going to use JWT for web-browser authentication. you can save your JWT in a cookie with httpOnly and secure attribute and set cookie expiration time long enough(maybe 1 years) and inside of your JWT claims set exp property to a shorter time ( maybe 1 week or something else). now in every request the cookie will be sent to the server so you can check for expiration time. something like this :

if(decodedJwt.exp < Date.now()){
  //token is valid, do your stuff
}else {
  //token expired, regenerate it and set it to the cookie
  //also update the expire time of the cookie 
}