Session Management, Tokens & Refresh Tokens
Sudhi Ranjan Gupta
Posted on October 27, 2024
The working cycle of session expiration, refresh token, and re-login follows a common pattern in token-based authentication systems (like JWT), and it ensures secure access while balancing user experience. Here’s how each component typically fits into the cycle:
1. Session Expiration:
- Session Expiry occurs when the token or session reaches its validity period. A token (like JWT) generally has a short lifespan to mitigate security risks.
- Access Token: This token is used to authenticate requests to the server. It is usually short-lived (e.g., 15-30 minutes) for security reasons.
-
Mechanism:
- When the access token expires, the client can no longer access protected resources using that token.
- At this point, the client needs to either refresh the token using a refresh token or force the user to log in again.
2. Refresh Token:
- A refresh token is a long-lived token that allows the user to obtain a new access token without re-logging in. Its expiration period is usually longer (e.g., weeks or months) than the access token.
-
Working:
- When the access token expires, the client (typically a front-end app) sends the refresh token to the server in exchange for a new access token.
- The server checks the refresh token to ensure it’s valid and hasn’t expired. If it’s valid, the server generates and returns a new access token to the client.
- This happens transparently to the user, meaning they can continue using the application without re-logging in.
-
Scenarios when Refresh Token works:
- Refresh tokens are often stored securely (e.g., in HTTP-only cookies) and are not sent with every request—only when the access token expires.
- If the refresh token is valid, it grants a new access token without needing to authenticate again.
- If the refresh token is expired or invalid, the user must re-login to generate new tokens.
3. Re-Login (When Refresh Token Expires):
- If the refresh token also expires or becomes invalid (e.g., user logs out from all devices, or the refresh token is compromised), the user must re-authenticate by logging in again.
-
Scenarios when Re-Login is Needed:
- The refresh token itself has expired, typically after a long period of inactivity (weeks or months).
- The user logs out manually, clearing both access and refresh tokens.
- The refresh token is revoked on the server side, which can happen for security reasons (e.g., password change or account compromise).
Typical Working Cycle:
-
Initial Login:
- The user logs in with credentials (username, password, or via an OAuth2 provider).
- The server issues both an access token (short-lived) and a refresh token (longer-lived).
- The access token is used to authenticate API requests, while the refresh token is stored securely (usually in a cookie or secure storage).
-
Session In-Progress (Using Access Token):
- The client sends requests to the server using the access token for authentication.
- This continues until the access token expires (e.g., after 15 minutes).
-
Access Token Expiry:
- After the access token expires, the client detects that the token is no longer valid (e.g., a 401 Unauthorised response from the server).
- The client then sends the refresh token to the server to get a new access token.
-
Refresh Token Flow:
- If the refresh token is valid:
- The server issues a new access token.
- The client continues using the new access token to access protected resources.
- If the refresh token has expired or is invalid:
- The server responds with an error (e.g., 403 Forbidden), indicating the client must log in again.
- If the refresh token is valid:
-
Re-Login:
- If the refresh token is no longer valid (expired, revoked, etc.), the client will redirect the user to the login page.
- The user will need to log in again to obtain a new pair of access and refresh tokens.
When to Use Each Component:
-
Access Token:
- Used to authorise and authenticate most API requests.
- Works until it expires, which is typically a short time (minutes).
-
Refresh Token:
- Used to get a new access token without re-logging in when the access token expires.
- Works until it expires (usually a much longer time, weeks/months).
-
Re-Login:
- Required when both the access and refresh tokens are expired or revoked.
- User must provide credentials again.
Mermaid Version To understand the flow in depth:
sequenceDiagram
participant User
participant ClientApp
participant AuthServer
participant API
Note over User,ClientApp: Initial Login
User ->> ClientApp: Provide credentials (e.g., username, password)
ClientApp ->> AuthServer: Send credentials
AuthServer ->> ClientApp: Access Token (15 mins) & Refresh Token (30 days)
ClientApp ->> User: Logged In, Tokens stored (Access Token & Refresh Token)
Note over ClientApp,API: Session In-Progress (Using Access Token)
ClientApp ->> API: Send Access Token
API ->> ClientApp: Response (Success)
Note over ClientApp,API: Access Token Expired (e.g., after 15 mins)
ClientApp ->> API: Send Access Token (Expired)
API ->> ClientApp: 401 Unauthorized (Access Token expired)
Note over ClientApp,AuthServer: Refresh Token Flow (Client sends Refresh Token)
ClientApp ->> AuthServer: Send Refresh Token
alt Refresh Token Valid
AuthServer ->> ClientApp: New Access Token
ClientApp ->> API: Send New Access Token
API ->> ClientApp: Response (Success)
else Refresh Token Expired
AuthServer ->> ClientApp: 403 Forbidden (Re-login required)
ClientApp ->> User: Redirect to Login (Session Expired)
end
Note over User,ClientApp: Re-Login (Required)
User ->> ClientApp: Provide credentials
ClientApp ->> AuthServer: Send credentials
AuthServer ->> ClientApp: New Access Token & Refresh Token
ClientApp ->> User: Logged In, Tokens refreshed
Mathematical Example
- Login → User logs in → Receives access token (15 mins) + refresh token (30 days).
- Access Token Expiry → After 15 minutes, access token expires → Client sends refresh token to server.
- Refresh Token Valid → If refresh token is valid → Server issues a new access token → User continues without re-logging in.
- Refresh Token Expiry → After 30 days (or on logout), refresh token expires → User must re-login to get a new set of tokens.
💖 💪 🙅 🚩
Sudhi Ranjan Gupta
Posted on October 27, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.