Handling Autologin with expired jwt
Question
we have a web application and use JWT as Authentication tokens. A Token is valid eg 1 day. If a user logs back in within that time the token will be updated in the localStorage and everything is fine.
If the user doesn't login within that time we wanted to provide some sort of autologin to prevent having our users to login every other day.
The easy solution would be storing the credentials in the localStorage, but this doesn't seem to be very safe.
Is there another approach to this common problem?
1 answers
solution1
1 2016-03-24 15:38:19
It seems that you would like to use one security mechanism to update another. And if these are both on the same domain, then you may be best off just increasing the expiry of the issued tokens in the first place to match the use case. Storing non-expiring credentials in order to be able to re-issue short lived secondary tokens seems insecure and defeat the purpose.
However, if one token is issued from another domain, then you get more into a single sign-on scenario. For instance OpenID Connect has a facility ( prompt=none ) for websites to check the current login state at the provider, and get a new (short-lived) secondary token without user interaction.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.