Is it advisable for added protection of refresh-tokens to hash them instead of saving them to a database?

Asked Jul 22 '20 at 04:46

Active Jul 22 '20 at 14:19

Viewed 201 times

Due to security concerns regarding JWTs being stored in a database, I wondered today if I could hash them instead.

My webapp could still verify the user's refresh-token if used to refresh his/her access-token as they're signed.

I don't currently see a downside to this.

My refresh-tokens are only valid for 7-days so if the tokens were exposed, I could revoke them and force all users to re-login -- not terribly painful.

But generally speaking, is this approach a more secure one? Am I overlooking anything?

edited Jul 22 '20 at 14:19

asked Jul 22 '20 at 04:46

Gary

You might find this helpful: https://stackoverflow.com/questions/42763146/does-it-make-sense-to-store-jwt-in-a-database – rexess Jul 22 '20 at 04:51
Thanks rexessilfie, it's a good read, but it doesn't really address the hashing perspective. I certainly think maintaining a refresh-token revocation option is highly advisable, which that solution seems to ignore. – Gary Jul 22 '20 at 05:04

Is it advisable for added protection of refresh-tokens to hash them instead of saving them to a database?

0 Answers0