Token expiration times

[manuel-syone]

Hello! I'm new to JWT, and I am having some troubles understanding the token invalidation after some time. Right now I am able to generate tokens and login and invalidate them on logout. Users with a valid token are able to access services on the back-end. How do I deal with the freshness issues of the token? What's a common policy for token expiration? Let me know if you need me to be clear on some aspect of this question.

[nelsonic]

Hi @manuel-syone, the "easy" way to implement session expiration with JTWs is using the exp claim which is set to the number of seconds in the future you want the token to expire.

However, we use Redis to track sessions in our apps because it allows "Repudiation" i.e. invalidating a token before the expiration. (e.g. if someone reports their phone as stolen...) ... but this might be "overkill" for your situation so you need to make a judgement call.

the amount of time you set for expiration entirely depends on they type of application you are building and the "perceived" security of session expiration e.g: banks usually log you out automatically after 10 mins but many social network apps will set expiration for a Month.

I'd recommend following the "Accessibility" approach to session timeout. see:
https://www.quora.com/In-a-UX-perspective-what-are-the-best-practices-for-implementing-a-session-timeout-expiry-in-a-website-being-security-as-the-main-concern and https://www.ssa.gov/accessibility/bpl/bps/forms/timeout/default.htm
There's quite a lot of UX/UI that goes into implementing a short expiration time and don't forget to include a re-direct back to the content the person was expecting to see once you have forced them to re-authenticate.

In my experience of observing many people (of all ages) using/testing web applications the ones who are "security" (privacy) conscious will always click the logout button before leaving the device whereas the rest expect their session to be preserved across sessions... are you able to ask your "users"...?

There are obviously security considerations to session timeout: https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Idle_Timeout but these are mostly related to an attacker gaining physical access to the person's device, if that is the case you have bigger problems.

For example you could log someone out if their IP address changes naively thinking that you are preventing "hackers" from hijacking a session, meanwhile you will have many false positives for people on mobile devices who change IP address each time they move cell towers and would thus be logged out multiple times per day. 😞

[nelsonic]

@manuel-syone please let us know if that answers your question ... if so we can add the answer to our "FAQ" and close this issue. (thanks!)

[manuel-syone]

@nelsonic Sorry for not answering sooner. Firstly, thank you for your great answer, it was very complete and explanatory! I believe this answers my question for now; at this point I moved to another task and I can't implement and test an approach using the exp field w/ an invalidation mechanism, but based on the contents you sent I think I am able to do so. Thank you again for taking the time to answer me 😃

[nelsonic]

Cool. Glad I was able to help. Closing this issue. 👍

[shai32]

@nelsonic The problem with the easy approach or even the Redis one, is that there is no activeDuration. e,g:
let say the user get a token with a long expiration date ( lets say 7 days)
when he log in, he clicked on remember me.
now, the user uses the site every day, after 7 day, it still does have is original token (that is stored in is browser)
he open the website, no login need (token has still 1 minute left), and then suddenly after 1 min of use, the website throw him out.

the user does not understand what happened and why.

so we need a way to define some sort of activeDuration:
activeDuration allows users to lengthen their session by interacting with the site. If the session is 28 minutes old and the user sends another request, activeDuration will extend the session’s life for however long you define. In this case, 15 minutes.
In short, activeDuration prevents the app from logging a user out while they’re still using the site.

it sound like must have for any site that want a good user experience.
am I wrong?

[shai32]

the solution is here:
#237
thanks @bitcloud