What is the usefulness of the refresh token?

Question

What is the usefulness of the refresh token? As I understand it, refresh token is used when access token expires, refresh token is sent to generate another refresh token and another access token. This is because if an access token is hijacked due to its short duration, the malicious user can do practically nothing, but if a refresh token that has a long duration is hijacked, the user can no longer be protected. So where should the refresh token be stored so that no one can hijack it? Or what security measures should be taken on the backend?

Does this answer your question? [What is the purpose of a "Refresh Token"?](https://stackoverflow.com/questions/38986005/what-is-the-purpose-of-a-refresh-token) — Romka, Dec 30 '20 at 17:18

score 1 · Accepted Answer · answered Dec 30 '20 at 17:19

Send the refresh token as httpOnly cookie marked safe and sameSource. It will be automatically stored in cookies and sent to the server with every http request. httpOnly cookies cannot be accessed trough JavaScript so if you use https protocol it cannot be hijacked easily.

What is the usefulness of the refresh token?

1 Answers1