Open RubenFern opened 6 months ago
mesacarlos
commented
5 months ago We have to discuss this. Refresh tokens should also expiry (they should have a greater expiry, but still an expiry date)
If user does not enter to the web app frequently, it can happen that both access tokens and refresh tokens expire.
Should we keep only access token but giving it a very high expire? ¿Maybe a year?
RubenFern
commented
5 months ago Important safety consideration:
Storing refresh tokens in the browser can be a security issue. Context:
Yes, you read that right. When we have refresh token rotation in place, we can store tokens in local storage or browser memory. You may have heard before (maybe from us) that we should not store tokens in local storage. Storing tokens in browser local storage provides persistence across page refreshes and browser tabs; however, if malicious users managed to run JavaScript in the SPA using a cross-site scripting (XSS) attack, they could retrieve the tokens stored in local storage. A vulnerability leading to a successful XSS attack could be present in the SPA source code or any third-party JavaScript code the app consumes, such as Bootstrap or Google Analytics. However, we can reduce the absolute token expiration time of tokens to reduce the security risks of storing tokens in local storage. This reduces the impact of a reflected XSS attack (but not of a persistent one). A refresh token may have a long lifespan by configuration. However, the defined long lifespan of a refresh token is cut short with refresh token rotation. The refresh is only valid within the lifespan of the access token, which would be short-lived.
I await the decision of @mesacarlos
Important information about HttpOnly Cookies, it could be a solution as the API does not store states:
Almacenamiento en el navegador Una vez que el navegador del usuario recibe la cookie, la almacena localmente según las instrucciones del servidor. El navegador adjunta automáticamente la cookie a todas las solicitudes HTTP posteriores que hace al mismo sitio web. Uso en el lado del servidor El servidor web, al recibir una solicitud que contiene la cookie HttpOnly, puede verificar y utilizar la información almacenada en la cookie para autenticar al usuario y mantener su sesión activa. Dado que la cookie HttpOnly es inaccesible desde el lado del cliente, es extremadamente difícil para los atacantes realizar ataques de scripting XSS (cross-site scripting) para robar la información de la cookie.
As an app user I want to keep session open, and not having to be logging in every few days So that I can enjoy a better user experience