4

Given an example here for a normal web app.

Traditionally, we use session and set timeout = 30 minutes. if session expires we will redirect user to login. (Expired time will be extended when user/browser interact with web app)

Using JWT, how to achieve that?

I know something about "token refresh", when short-time token expires it will refresh a new one using refresh-token.

But it looks like it don't care about whether user is interacting with web app or not. So as long as refresh-token is alive, the browser can always get a new short-life JWT.

So the question is: How to extend token expiring time if user is not active for a set period using JWT?

Joe
  • 91
  • 1
  • 5

2 Answers2

3

When the user interacts with your server then your server can decide to issue another JWT with a new expiration time (not at each request but e.g. 5 min before the current JWT expiration time). If the client receives a new JWT, then it replaces the old one.

When the user does nothing, no new JWT is issued and the JWT will become invalid after the timeout.

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
2

If the user is active, then issue a new JWT every time the user enter in the web application and every period of time (for example 1 hour)

If the user is not active but the browser is open, it can request a new JWT to server in background. The token must be requested before expiry time and then replace the token in localStorage or cookie. This technique also can be applied to standalone applications

If browser can not request a new token (closed, not active, etc) then the token will expire and you can redirect user to login in the some way that if server session expires

Check this JWT (JSON Web Token) automatic prolongation of expiration

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142