php-jwt icon indicating copy to clipboard operation
php-jwt copied to clipboard
verified publisher icon firebase

How do you store refresh tokens?

Open cottton opened this issue 4 years ago • 0 comments

I suggest to NOT post how you store your tokens. Dont give hints out in the public. This post here is more to bring attention to this topic, so ppl do not store refresh tokens as plain text in the db.

Background: https://github.com/firebase/php-jwt/issues/119#issuecomment-882116462

TL;DR: plain text refresh token in db means if there is a db leak, then the attacker can login with the token. Means: the refresh token should be handled like a clear text password.

I really would like to see a pretty short but clear description in the readme that makes clear: the refresh token should be handled like a clear text pw. It must stored hashed in the db.

And since this is PHP-jwt i suggest an example with PHP password_hash() | password_verify().

Thank you.

cottton avatar Jul 18 '21 21:07 cottton