use of jwt inside mobile application

0 投票
最新提问 用户: (1.6k 分)

I have a mobile application made with swift and used php/mysql for the backend.

At the moment, when a user signs in, I check the username and password against the credentials stored inside mysql. If the it is a match, a JWT is created using the secret key I have stored inside a .env file. It's then saved inside iOS keychain to be used whenever necessary inside the application.

I have a few issues with the use of JWT:

  1. Expiry time - What is an ideal expiry time? I've read anything from a week to not setting one at all. Obviously this depends on the application, as I imagine a banking app will need a much shorted token.

  2. Someone else has the accounts username and password - Lets say person A owns an account, but person B somehow has the necessary credentials to log in. Therefore, person A wants to reset there password as someone else has unwanted access to there account, but person B is still logged in after the password of the account has been reset because the JWT hasn't expired. How do you protect against this so when person A password is reset, person B no longer has access with the use of JWT?

I've also read about refresh tokens but can't seem to come across any definitive info on how it's used inside a mobile application.

发表于 用户: (140 分)
I would say this is way too broad a topic for a simple question on SO. There are resources out there that explain the use of refresh tokens (long expiration) and jwts (short expiration), blocking them if needed etc quite easily found.
发表于 用户: (1.6k 分)
are refresh tokens are jwts totally different things? @SamiKuhmonen

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。