stackoom
  简体   繁体   中英

JWT Token Expired PHP Laravel

 原文  2022-07-11 01:50:33       php/ laravel/ jwt/ access-token

Question

We have three platforms : PHP backend, android and iOS apps. iOS users are unable to communicate with the backend after few days of using the app.

After debugging I found out the issue is a 401, Token Expired, thrown from JWT.

Sample Request:

URL : https://xx.xx.xxx/api/v1/xx
header : Accept: application/json
parameters : ["userId": xx, "countryId": 0, "deviceType": 1, "pageNo": 1, "token": “xxx”, "deviceToken": “xx”, "shuffleId": "", "action": 1, "buzcategory": "", "keyWord": "", "socialMediaId": "", "totalCount": 100, "productType": "", "businessName": "", "cityId": 0]

Sample Response:

Response : {
  "error" : "Token is Expired",
  "status" : 401
}

I would like to know if making JWT_TTL and JWT_REFRESH_TTL null will fix the issue in jwt.php like:

'refresh_ttl' => env ('JWT_REFRESH_TTL', Null),
'ttl' => env ('JWT_TTL', NULL),
 'required_claims' => [
        'iss',
        'iat',
        // 'exp',
        'nbf',
        'sub',
        'jti',
    ],

1 answers

solution1
 1  2022-07-11 08:25:07

The null value will fix a problem, but is not particularly recommended.

I advice to implement the "refresh token mechanism" on the app side if server response is "Token is Expired": if an attacker gets access to the infinite jwt token, he can use API features, even if security hole will fixed in next app version.

JWT_TTL 

/*
|--------------------------------------------------------------------------
| JWT time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token will be valid for.
| Defaults to 1 hour.
|
| You can also set this to null, to yield a never expiring token.
| Some people may want this behaviour for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
|
*/

'ttl' => env('JWT_TTL', 60),

JWT_REFRESH_TTL 

/*
|--------------------------------------------------------------------------
| Refresh time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token can be refreshed
| within. I.E. The user can refresh their token within a 2 week window of
| the original token being created until they must re-authenticate.
| Defaults to 2 weeks.
|
| You can also set this to null, to yield an infinite refresh time.
| Some may want this instead of never expiring tokens for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
|
*/

'refresh_ttl' => env('JWT_REFRESH_TTL', 20160),

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JWT/LARAVEL token expired PHP JWT:: **Decode** expired Token JWT/LARAVEL 5.6 refresh expired token Laravel/Lumen Auth JWT token not valid in subsequent requests, is it possibly expired? Base 64 Decode Token that may have expired JWT php Check if token expired in Laravel Handling expired token in Laravel Expired JWT Token when trying to authenticate? JWT - TOKEN_EXPIRED after second refresh Laravel / vuejs JWT token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM