1

I am new to JWT so apologies in advance.

I am using php-jwt library.

Headers

include_once("includes/jwt/BeforeValidException.php");
include_once("includes/jwt/ExpiredException.php");
include_once("includes/jwt/JWK.php");
include_once("includes/jwt/JWT.php");
include_once("includes/jwt/SignatureInvalidException.php");


header("Access-Control-Allow-Origin: *");
header("Access-Control-Request-Headers: GET,POST,OPTIONS,DELETE,PUT");
header('Access-Control-Allow-Headers: Authorization, Accept,Accept-Language,Content-Language,Content-Type');

I am generating token using the following:

$secret_key = "***";
$issuer_claim = "***";
$audience_claim = "***";
$issuedat_claim = time(); // issued at
$notbefore_claim = $issuedat_claim; //not useable before in seconds
$expire_claim = time() + (60*60); // expire time in seconds
$token = array(
    "iss" => $issuer_claim,
    "aud" => $audience_claim,
    "iat" => $issuedat_claim,
    "nbf" => $notbefore_claim,
    "exp" => $expire_claim,
);
$jwt = JWT::encode($token, $secret_key);

However when I decode the generated token using tool on jwt.io, it shows that token will expire in 5 minutes.

{
  "iss": "***",
  "aud": "***",
  "iat": 1600925201,
  "nbf": 1600925201,
  "exp": 1600925501
}

Can you please guide me how to increase the expiry time? Even though in the payload I have specified 60 minutes, but the token is valid for 5 minutes only.

Secondly, I wanted to know how can I keep token alive for the user who is active. For e.g. A user who remains inactive for 60 minutes, the token should expire. But a user who is using the website/web app should not be logged out because he might be in middle of something and sudden logout would break the flow. I have read about refresh token in this regard, and if you think that is the approach to go by, I would be grateful if you could share some tutorial on that because I haven't found any which could give good understanding on how to execute.

Thanks in advance.

Saad Bashir
  • 4,341
  • 8
  • 30
  • 60
  • I tried your code snippet on http://sandbox.onlinephpfunctions.com/code/19e604a9308dc7061e3dea6fa968ac8e5c28a938 and got `iat => 1600930608 nbf => 1600930608 exp => 1600934208` -> exp exactly 3600 seconds after iat. Whatever problem you have, it can't be found in the code shown in your question. – jps Sep 24 '20 at 06:57
  • @jps I have updated the question. Please note that in your sandbox you haven't decoded the jwt token and looked at the values. You have simply echoed out $expire_claim. – Saad Bashir Sep 24 '20 at 07:23
  • of course I have only echoed the claims, because that's all information you have given before. – jps Sep 24 '20 at 07:28
  • Can you please check that your server time is the same the "real" current time ? – AIT MANSOUR Mohamed Sep 24 '20 at 07:30
  • @AITMANSOURMohamed yes just checked and confirmed that server time is same as the "real" current time. – Saad Bashir Sep 24 '20 at 07:32
  • @AITMANSOURMohamed the problem is the difference between iat and exp, that doesn't depend on the actual time of the server – jps Sep 24 '20 at 07:32
  • @SaadBashir can't help with your code, can't execute jwt code on the sandbox. – jps Sep 24 '20 at 07:34
  • @jps thank you for trying. Do you think maybe later you can try it when you have the environment available? would be highly grateful. – Saad Bashir Sep 24 '20 at 07:35
  • @SaadBashir I don't have any PHP environment, I'm not a PHP programmer. – jps Sep 24 '20 at 07:51

0 Answers0