JWT 令牌过期 PHP Laravel
[英]JWT Token Expired PHP Laravel
问题描述
We have three platforms : PHP backend, android and iOS apps.
我们拥有三个平台:PHP 后端、android 和 iOS 应用程序。 iOS users are unable to communicate with the backend after few days of using the app. iOS 用户在使用该应用几天后无法与后端通信。
After debugging I found out the issue is a 401, Token Expired, thrown from JWT.调试后我发现问题是 JWT 抛出的 401,令牌过期。
Sample Request:样品要求:
URL : https://xx.xx.xxx/api/v1/xx
header : Accept: application/json
parameters : ["userId": xx, "countryId": 0, "deviceType": 1, "pageNo": 1, "token": “xxx”, "deviceToken": “xx”, "shuffleId": "", "action": 1, "buzcategory": "", "keyWord": "", "socialMediaId": "", "totalCount": 100, "productType": "", "businessName": "", "cityId": 0]
Sample Response:示例响应:
Response : {
"error" : "Token is Expired",
"status" : 401
}
I would like to know if making JWT_TTL and JWT_REFRESH_TTL null will fix the issue in jwt.php like:我想知道将JWT_TTL和JWT_REFRESH_TTL null 是否可以解决jwt.php中的问题,例如:
'refresh_ttl' => env ('JWT_REFRESH_TTL', Null),
'ttl' => env ('JWT_TTL', NULL),
'required_claims' => [
'iss',
'iat',
// 'exp',
'nbf',
'sub',
'jti',
],
1 个解决方案
解决方案1
1 2022-07-11 08:25:07
The null value will fix a problem, but is not particularly recommended. null值可以解决问题,但不特别推荐。
I advice to implement the "refresh token mechanism" on the app side if server response is "Token is Expired": if an attacker gets access to the infinite jwt token, he can use API features, even if security hole will fixed in next app version.如果服务器响应为“令牌已过期”,我建议在应用程序端实现“刷新令牌机制”:如果攻击者可以访问无限 jwt 令牌,他可以使用 API 功能,即使安全漏洞将在下一个应用程序中修复版本。
/*
|--------------------------------------------------------------------------
| JWT time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token will be valid for.
| Defaults to 1 hour.
|
| You can also set this to null, to yield a never expiring token.
| Some people may want this behaviour for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
|
*/
'ttl' => env('JWT_TTL', 60),
JWT_REFRESH_TTL JWT_REFRESH_TTL
/*
|--------------------------------------------------------------------------
| Refresh time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token can be refreshed
| within. I.E. The user can refresh their token within a 2 week window of
| the original token being created until they must re-authenticate.
| Defaults to 2 weeks.
|
| You can also set this to null, to yield an infinite refresh time.
| Some may want this instead of never expiring tokens for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
|
*/
'refresh_ttl' => env('JWT_REFRESH_TTL', 20160),
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.