[英]JWT Token Expired PHP Laravel
我們擁有三個平台:PHP 后端、android 和 iOS 應用程序。 iOS 用戶在使用該應用幾天后無法與后端通信。
調試后我發現問題是 JWT 拋出的 401,令牌過期。
樣品要求:
URL : https://xx.xx.xxx/api/v1/xx
header : Accept: application/json
parameters : ["userId": xx, "countryId": 0, "deviceType": 1, "pageNo": 1, "token": “xxx”, "deviceToken": “xx”, "shuffleId": "", "action": 1, "buzcategory": "", "keyWord": "", "socialMediaId": "", "totalCount": 100, "productType": "", "businessName": "", "cityId": 0]
示例響應:
Response : {
"error" : "Token is Expired",
"status" : 401
}
我想知道將JWT_TTL
和JWT_REFRESH_TTL
null 是否可以解決jwt.php
中的問題,例如:
'refresh_ttl' => env ('JWT_REFRESH_TTL', Null),
'ttl' => env ('JWT_TTL', NULL),
'required_claims' => [
'iss',
'iat',
// 'exp',
'nbf',
'sub',
'jti',
],
null
值可以解決問題,但不特別推薦。
如果服務器響應為“令牌已過期”,我建議在應用程序端實現“刷新令牌機制”:如果攻擊者可以訪問無限 jwt 令牌,他可以使用 API 功能,即使安全漏洞將在下一個應用程序中修復版本。
/*
|--------------------------------------------------------------------------
| JWT time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token will be valid for.
| Defaults to 1 hour.
|
| You can also set this to null, to yield a never expiring token.
| Some people may want this behaviour for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
|
*/
'ttl' => env('JWT_TTL', 60),
/*
|--------------------------------------------------------------------------
| Refresh time to live
|--------------------------------------------------------------------------
|
| Specify the length of time (in minutes) that the token can be refreshed
| within. I.E. The user can refresh their token within a 2 week window of
| the original token being created until they must re-authenticate.
| Defaults to 2 weeks.
|
| You can also set this to null, to yield an infinite refresh time.
| Some may want this instead of never expiring tokens for e.g. a mobile app.
| This is not particularly recommended, so make sure you have appropriate
| systems in place to revoke the token if necessary.
|
*/
'refresh_ttl' => env('JWT_REFRESH_TTL', 20160),
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.