You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In case of per-cookie authentication, both the short time to live (TTL) JWT access token and the longer TTL refresh tokens are set with set-cookie response header upon successful authentication HTTP request. Both tokens have the same Path attribute value (as per JWT_COOKIE_PATH setting), the same SameSite attribute value (as per JWT_COOKIE_SAMESITE) as well as Domain attribute value (as per JWT_COOKIE_DOMAIN setting), but different Max-Age and Expires values (as per related settings - one is short-living, the other is not).
Effectively it means that both tokens (while not expired) are then included in the subsequent API calls be it a regular graphql API call or an authentication-related API call, like ‘refresh token’ or similar.
My question – is this supposed to be so? Or, this is a bit oversimplified implementation of short-ttl-access-tokens / longer-ttl-refresh-token concept over HttpOnly cookies?
As far as I understand the idea behind short-ttl-access-tokens / longer-ttl-refresh-token concept, longer-ttl-refresh-token has to be kept inaccessible to Javascript (kept in HttpOnly cookie) while short-ttl-access-tokens has to be available to Javascript in order to do API calls, possibly to different domains and endpoints.
The text was updated successfully, but these errors were encountered:
In case of per-cookie authentication, both the short time to live (TTL) JWT access token and the longer TTL refresh tokens are set with set-cookie response header upon successful authentication HTTP request. Both tokens have the same Path attribute value (as per JWT_COOKIE_PATH setting), the same SameSite attribute value (as per JWT_COOKIE_SAMESITE) as well as Domain attribute value (as per JWT_COOKIE_DOMAIN setting), but different Max-Age and Expires values (as per related settings - one is short-living, the other is not).
Effectively it means that both tokens (while not expired) are then included in the subsequent API calls be it a regular graphql API call or an authentication-related API call, like ‘refresh token’ or similar.
My question – is this supposed to be so? Or, this is a bit oversimplified implementation of
short-ttl-access-tokens / longer-ttl-refresh-tokenconcept over HttpOnly cookies?As far as I understand the idea behind
short-ttl-access-tokens / longer-ttl-refresh-tokenconcept, longer-ttl-refresh-token has to be kept inaccessible to Javascript (kept in HttpOnly cookie) while short-ttl-access-tokens has to be available to Javascript in order to do API calls, possibly to different domains and endpoints.The text was updated successfully, but these errors were encountered: