Session Management, Tokens & Refresh Tokens

Sudhi Ranjan Gupta — Sun, 27 Oct 2024 06:51:05 +0000

The working cycle of session expiration, refresh token, and re-login follows a common pattern in token-based authentication systems (like JWT), and it ensures secure access while balancing user experience. Here’s how each component typically fits into the cycle:

1. Session Expiration:

Session Expiry occurs when the token or session reaches its validity period. A token (like JWT) generally has a short lifespan to mitigate security risks.
Access Token: This token is used to authenticate requests to the server. It is usually short-lived (e.g., 15-30 minutes) for security reasons.
Mechanism:
- When the access token expires, the client can no longer access protected resources using that token.
- At this point, the client needs to either refresh the token using a refresh token or force the user to log in again.

2. Refresh Token:

A refresh token is a long-lived token that allows the user to obtain a new access token without re-logging in. Its expiration period is usually longer (e.g., weeks or months) than the access token.
Working:
- When the access token expires, the client (typically a front-end app) sends the refresh token to the server in exchange for a new access token.
- The server checks the refresh token to ensure it’s valid and hasn’t expired. If it’s valid, the server generates and returns a new access token to the client.
- This happens transparently to the user, meaning they can continue using the application without re-logging in.
Scenarios when Refresh Token works:
- Refresh tokens are often stored securely (e.g., in HTTP-only cookies) and are not sent with every request—only when the access token expires.
- If the refresh token is valid, it grants a new access token without needing to authenticate again.
- If the refresh token is expired or invalid, the user must re-login to generate new tokens.

3. Re-Login (When Refresh Token Expires):

If the refresh token also expires or becomes invalid (e.g., user logs out from all devices, or the refresh token is compromised), the user must re-authenticate by logging in again.
Scenarios when Re-Login is Needed:
- The refresh token itself has expired, typically after a long period of inactivity (weeks or months).
- The user logs out manually, clearing both access and refresh tokens.
- The refresh token is revoked on the server side, which can happen for security reasons (e.g., password change or account compromise).

Typical Working Cycle:

Initial Login:
- The user logs in with credentials (username, password, or via an OAuth2 provider).
- The server issues both an access token (short-lived) and a refresh token (longer-lived).
- The access token is used to authenticate API requests, while the refresh token is stored securely (usually in a cookie or secure storage).
Session In-Progress (Using Access Token):
- The client sends requests to the server using the access token for authentication.
- This continues until the access token expires (e.g., after 15 minutes).
Access Token Expiry:
- After the access token expires, the client detects that the token is no longer valid (e.g., a 401 Unauthorised response from the server).
- The client then sends the refresh token to the server to get a new access token.
Refresh Token Flow:
- If the refresh token is valid:
  - The server issues a new access token.
  - The client continues using the new access token to access protected resources.
- If the refresh token has expired or is invalid:
  - The server responds with an error (e.g., 403 Forbidden), indicating the client must log in again.
Re-Login:
- If the refresh token is no longer valid (expired, revoked, etc.), the client will redirect the user to the login page.
- The user will need to log in again to obtain a new pair of access and refresh tokens.

When to Use Each Component:

Access Token:
- Used to authorise and authenticate most API requests.
- Works until it expires, which is typically a short time (minutes).
Refresh Token:
- Used to get a new access token without re-logging in when the access token expires.
- Works until it expires (usually a much longer time, weeks/months).
Re-Login:
- Required when both the access and refresh tokens are expired or revoked.
- User must provide credentials again.

Mermaid Version To understand the flow in depth:

sequenceDiagram
    participant User
    participant ClientApp
    participant AuthServer
    participant API

    Note over User,ClientApp: Initial Login
    User ->> ClientApp: Provide credentials (e.g., username, password)
    ClientApp ->> AuthServer: Send credentials
    AuthServer ->> ClientApp: Access Token (15 mins) & Refresh Token (30 days)
    ClientApp ->> User: Logged In, Tokens stored (Access Token & Refresh Token)

    Note over ClientApp,API: Session In-Progress (Using Access Token)
    ClientApp ->> API: Send Access Token
    API ->> ClientApp: Response (Success)

    Note over ClientApp,API: Access Token Expired (e.g., after 15 mins)
    ClientApp ->> API: Send Access Token (Expired)
    API ->> ClientApp: 401 Unauthorized (Access Token expired)

    Note over ClientApp,AuthServer: Refresh Token Flow (Client sends Refresh Token)
    ClientApp ->> AuthServer: Send Refresh Token
    alt Refresh Token Valid
        AuthServer ->> ClientApp: New Access Token
        ClientApp ->> API: Send New Access Token
        API ->> ClientApp: Response (Success)
    else Refresh Token Expired
        AuthServer ->> ClientApp: 403 Forbidden (Re-login required)
        ClientApp ->> User: Redirect to Login (Session Expired)
    end

    Note over User,ClientApp: Re-Login (Required)
    User ->> ClientApp: Provide credentials
    ClientApp ->> AuthServer: Send credentials
    AuthServer ->> ClientApp: New Access Token & Refresh Token
    ClientApp ->> User: Logged In, Tokens refreshed

Mathematical Example

Login → User logs in → Receives access token (15 mins) + refresh token (30 days).
Access Token Expiry → After 15 minutes, access token expires → Client sends refresh token to server.
Refresh Token Valid → If refresh token is valid → Server issues a new access token → User continues without re-logging in.
Refresh Token Expiry → After 30 days (or on logout), refresh token expires → User must re-login to get a new set of tokens.

Forem: Sudhi Ranjan Gupta