JSON Web Token exp time confusion

Question

What is a good expiration time for a JWT so that a user will never get logged out unless he cliks log out? Note that the node.js server could be up and running forever

there should be no need for that: when the JWT expires you'd just get a new one at the Authorization Server; if the user is still logged in (i.e. has not logged out explicitly) a new JWT can silently be provided without bothering the user; note that this aligns the JWT and the user login session — Hans Z., Jul 01 '15 at 08:13
So what exactly is a downside to setting it for 100 yrs? In terms of security? @BidhanA — OneMoreQuestion, Jul 01 '15 at 18:35
best security practice: tokens that live forever will end up in the wrong place eventually — Hans Z., Jul 01 '15 at 19:38
@HansZ.so if you set the exp of a token to say 24 hrs, does that mean the user will have to log out/back in every 24 hrs to keep access? — OneMoreQuestion, Jul 01 '15 at 20:56
not necessarily: it means that after 24 hrs the authorization server will be consulted again; the authorization server may issue a new JWT based on existing SSO session or require explicit login if that is expired — Hans Z., Jul 01 '15 at 22:18
@HansZ.so it might not be a bad idea to set the exp to 24 hrs which means the system will get a new token every work day. Thank you for all the help! — OneMoreQuestion, Jul 02 '15 at 01:12

score 0 · Answer 1 · answered Jun 23 '17 at 16:49

This is not the right way to Do it. Never make your jwt have too much expiration time. If your token is stolen then attacker will get the more access because this token never expires. JWT is private key based matching. Until the secret is not changed your source is accessible by that key.

Use refresh_token instead. Which will have expire no expire time. Use your refresh_token to get new access_token. You can expire refresh_token based on device also.

JSON Web Token exp time confusion

1 Answers1