JWTRefreshTokenBundle icon indicating copy to clipboard operation
JWTRefreshTokenBundle copied to clipboard

Published 20 hours ago verified publisher icon markitosgv

Retrieve refresh_token from httponly cookie

Open konshensx16 opened this issue 5 years ago • 5 comments

Hello there eveyrone,

First of all i would like to thank you for this great library :)

I have couple of questions (I might be just stupid or tired but bare with me), Basically upon successful authentication I'm setting the cookie using Set-Cookie in an event listener that i have, it works fine and as expected, the thing is when i try to refresh the token, i need to pass the refresh_token to the /token/refresh route.

My questions are, 1 - is it okay (I assume it's not) to store the refresh token somewhere (Like localStorage) and then send it whenever i need to refresh the token? 2 - Can i add the refresh_token in the cookie that i already got from the login action to the token that i already set? if Yes then can i get that value from the cookie ? Because as far as I'm concerned by default it looks for the token in the either the request body or get parameters.

Hopefully someone could answer those question, Also sorry of this is just a duplicate issue, I've looked through some of them but none could answer my questions .

Cheers :)

konshensx16 avatar Apr 05 '19 23:04 konshensx16

Hi @konshensx16 thanks for your comments.

  1. It's ok to save it in localStorage, or as a cookie
  2. You could read refresh_token from cookie, look at this: https://github.com/gesdinet/JWTRefreshTokenBundle/issues/132#issuecomment-461333191

markitosgv avatar Apr 07 '19 18:04 markitosgv

Hello @markitosgv , Thank you for responding,

One more question, let's assume the user hijacked my machine and got access to the refresh_token, does that give access to my application? doesn't make sense but hackers always find a way :D. When refreshing the application does the library check for the initial token or something like that before generating the refresh token?

konshensx16 avatar Apr 08 '19 20:04 konshensx16

@konshensx16 there is a command to revoke refresh tokens. so if some token would be compromised you could revoke it and kill the future access for the hacker. but then your jwt token should have very small lifetime

norkunas avatar Apr 09 '19 03:04 norkunas

@konshensx16 as @norkunas said, there's no problem because user can revoke refresh token. Think about PHP session cookies, it's the same, someone could stole it and grant access.

Worst case is if someone stole a high ttl JWT token, because you cannot expire it, its valid by itself. The only way to revoke access is changing private key (affects all your users)

PS: Library doesn't check JWT token when refreshing, in fact, it's the main purpose, reissue a new JWT token without asking credentials again, only with a higher ttl refresh token

markitosgv avatar Apr 09 '19 07:04 markitosgv

Thank you very much both @norkunas & @markitosgv for the valuable info. I guess i will just go with using cookie for that extra security .

konshensx16 avatar Apr 09 '19 14:04 konshensx16