• caglararli@hotmail.com
  • 05386281520

can we use access token as session cookie in browser? and how to protect it?

Çağlar Arlı      -    49 Views

can we use access token as session cookie in browser? and how to protect it?

The scenario is: you have refresh token that is valid for a longer period of time and an access token that is valid for a shorter period of time.

The setup: There is a client, application server and authentication server.

The client stores the access token in browser. The application server stores the refresh token. The authentication server hands out the refresh + access token. One of the advantages is that a stolen access token can only be used for the time it is valid.

Say a hacker steals the access token that is valid for 30 minutes. When the hacker makes a request with the valid but expired stolen access token after 30 minutes, the application server refreshes it with the refresh token, thus the hacker gaining a new valid and not expired access token.