Session Management, Tokens & Refresh Tokens

sudhi_ranjangupta_adc8df

Sudhi Ranjan Gupta

Posted on October 27, 2024

Session Management, Tokens & Refresh Tokens

The working cycle of session expiration, refresh token, and re-login follows a common pattern in token-based authentication systems (like JWT), and it ensures secure access while balancing user experience. Here’s how each component typically fits into the cycle:

1. Session Expiration:

  • Session Expiry occurs when the token or session reaches its validity period. A token (like JWT) generally has a short lifespan to mitigate security risks.
  • Access Token: This token is used to authenticate requests to the server. It is usually short-lived (e.g., 15-30 minutes) for security reasons.
  • Mechanism:
    • When the access token expires, the client can no longer access protected resources using that token.
    • At this point, the client needs to either refresh the token using a refresh token or force the user to log in again.

2. Refresh Token:

  • A refresh token is a long-lived token that allows the user to obtain a new access token without re-logging in. Its expiration period is usually longer (e.g., weeks or months) than the access token.
  • Working:
    • When the access token expires, the client (typically a front-end app) sends the refresh token to the server in exchange for a new access token.
    • The server checks the refresh token to ensure it’s valid and hasn’t expired. If it’s valid, the server generates and returns a new access token to the client.
    • This happens transparently to the user, meaning they can continue using the application without re-logging in.
  • Scenarios when Refresh Token works:
    • Refresh tokens are often stored securely (e.g., in HTTP-only cookies) and are not sent with every request—only when the access token expires.
    • If the refresh token is valid, it grants a new access token without needing to authenticate again.
    • If the refresh token is expired or invalid, the user must re-login to generate new tokens.

3. Re-Login (When Refresh Token Expires):

  • If the refresh token also expires or becomes invalid (e.g., user logs out from all devices, or the refresh token is compromised), the user must re-authenticate by logging in again.
  • Scenarios when Re-Login is Needed:
    • The refresh token itself has expired, typically after a long period of inactivity (weeks or months).
    • The user logs out manually, clearing both access and refresh tokens.
    • The refresh token is revoked on the server side, which can happen for security reasons (e.g., password change or account compromise).

Typical Working Cycle:

  1. Initial Login:
    • The user logs in with credentials (username, password, or via an OAuth2 provider).
    • The server issues both an access token (short-lived) and a refresh token (longer-lived).
    • The access token is used to authenticate API requests, while the refresh token is stored securely (usually in a cookie or secure storage).
  2. Session In-Progress (Using Access Token):
    • The client sends requests to the server using the access token for authentication.
    • This continues until the access token expires (e.g., after 15 minutes).
  3. Access Token Expiry:
    • After the access token expires, the client detects that the token is no longer valid (e.g., a 401 Unauthorised response from the server).
    • The client then sends the refresh token to the server to get a new access token.
  4. Refresh Token Flow:
    • If the refresh token is valid:
      • The server issues a new access token.
      • The client continues using the new access token to access protected resources.
    • If the refresh token has expired or is invalid:
      • The server responds with an error (e.g., 403 Forbidden), indicating the client must log in again.
  5. Re-Login:
    • If the refresh token is no longer valid (expired, revoked, etc.), the client will redirect the user to the login page.
    • The user will need to log in again to obtain a new pair of access and refresh tokens.

When to Use Each Component:

  1. Access Token:
    • Used to authorise and authenticate most API requests.
    • Works until it expires, which is typically a short time (minutes).
  2. Refresh Token:
    • Used to get a new access token without re-logging in when the access token expires.
    • Works until it expires (usually a much longer time, weeks/months).
  3. Re-Login:
    • Required when both the access and refresh tokens are expired or revoked.
    • User must provide credentials again.

Mermaid Version To understand the flow in depth:

sequenceDiagram
    participant User
    participant ClientApp
    participant AuthServer
    participant API

    Note over User,ClientApp: Initial Login
    User ->> ClientApp: Provide credentials (e.g., username, password)
    ClientApp ->> AuthServer: Send credentials
    AuthServer ->> ClientApp: Access Token (15 mins) & Refresh Token (30 days)
    ClientApp ->> User: Logged In, Tokens stored (Access Token & Refresh Token)

    Note over ClientApp,API: Session In-Progress (Using Access Token)
    ClientApp ->> API: Send Access Token
    API ->> ClientApp: Response (Success)

    Note over ClientApp,API: Access Token Expired (e.g., after 15 mins)
    ClientApp ->> API: Send Access Token (Expired)
    API ->> ClientApp: 401 Unauthorized (Access Token expired)

    Note over ClientApp,AuthServer: Refresh Token Flow (Client sends Refresh Token)
    ClientApp ->> AuthServer: Send Refresh Token
    alt Refresh Token Valid
        AuthServer ->> ClientApp: New Access Token
        ClientApp ->> API: Send New Access Token
        API ->> ClientApp: Response (Success)
    else Refresh Token Expired
        AuthServer ->> ClientApp: 403 Forbidden (Re-login required)
        ClientApp ->> User: Redirect to Login (Session Expired)
    end

    Note over User,ClientApp: Re-Login (Required)
    User ->> ClientApp: Provide credentials
    ClientApp ->> AuthServer: Send credentials
    AuthServer ->> ClientApp: New Access Token & Refresh Token
    ClientApp ->> User: Logged In, Tokens refreshed

Enter fullscreen mode Exit fullscreen mode

Image description

Mathematical Example

  • Login → User logs in → Receives access token (15 mins) + refresh token (30 days).
  • Access Token Expiry → After 15 minutes, access token expires → Client sends refresh token to server.
  • Refresh Token Valid → If refresh token is valid → Server issues a new access token → User continues without re-logging in.
  • Refresh Token Expiry → After 30 days (or on logout), refresh token expires → User must re-login to get a new set of tokens.
💖 💪 🙅 🚩
sudhi_ranjangupta_adc8df
Sudhi Ranjan Gupta

Posted on October 27, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related