DEV Community

Sudhi Ranjan Gupta
Sudhi Ranjan Gupta

Posted on

3

Session Management, Tokens & Refresh Tokens

The working cycle of session expiration, refresh token, and re-login follows a common pattern in token-based authentication systems (like JWT), and it ensures secure access while balancing user experience. Here’s how each component typically fits into the cycle:

1. Session Expiration:

  • Session Expiry occurs when the token or session reaches its validity period. A token (like JWT) generally has a short lifespan to mitigate security risks.
  • Access Token: This token is used to authenticate requests to the server. It is usually short-lived (e.g., 15-30 minutes) for security reasons.
  • Mechanism:
    • When the access token expires, the client can no longer access protected resources using that token.
    • At this point, the client needs to either refresh the token using a refresh token or force the user to log in again.

2. Refresh Token:

  • A refresh token is a long-lived token that allows the user to obtain a new access token without re-logging in. Its expiration period is usually longer (e.g., weeks or months) than the access token.
  • Working:
    • When the access token expires, the client (typically a front-end app) sends the refresh token to the server in exchange for a new access token.
    • The server checks the refresh token to ensure it’s valid and hasn’t expired. If it’s valid, the server generates and returns a new access token to the client.
    • This happens transparently to the user, meaning they can continue using the application without re-logging in.
  • Scenarios when Refresh Token works:
    • Refresh tokens are often stored securely (e.g., in HTTP-only cookies) and are not sent with every request—only when the access token expires.
    • If the refresh token is valid, it grants a new access token without needing to authenticate again.
    • If the refresh token is expired or invalid, the user must re-login to generate new tokens.

3. Re-Login (When Refresh Token Expires):

  • If the refresh token also expires or becomes invalid (e.g., user logs out from all devices, or the refresh token is compromised), the user must re-authenticate by logging in again.
  • Scenarios when Re-Login is Needed:
    • The refresh token itself has expired, typically after a long period of inactivity (weeks or months).
    • The user logs out manually, clearing both access and refresh tokens.
    • The refresh token is revoked on the server side, which can happen for security reasons (e.g., password change or account compromise).

Typical Working Cycle:

  1. Initial Login:
    • The user logs in with credentials (username, password, or via an OAuth2 provider).
    • The server issues both an access token (short-lived) and a refresh token (longer-lived).
    • The access token is used to authenticate API requests, while the refresh token is stored securely (usually in a cookie or secure storage).
  2. Session In-Progress (Using Access Token):
    • The client sends requests to the server using the access token for authentication.
    • This continues until the access token expires (e.g., after 15 minutes).
  3. Access Token Expiry:
    • After the access token expires, the client detects that the token is no longer valid (e.g., a 401 Unauthorised response from the server).
    • The client then sends the refresh token to the server to get a new access token.
  4. Refresh Token Flow:
    • If the refresh token is valid:
      • The server issues a new access token.
      • The client continues using the new access token to access protected resources.
    • If the refresh token has expired or is invalid:
      • The server responds with an error (e.g., 403 Forbidden), indicating the client must log in again.
  5. Re-Login:
    • If the refresh token is no longer valid (expired, revoked, etc.), the client will redirect the user to the login page.
    • The user will need to log in again to obtain a new pair of access and refresh tokens.

When to Use Each Component:

  1. Access Token:
    • Used to authorise and authenticate most API requests.
    • Works until it expires, which is typically a short time (minutes).
  2. Refresh Token:
    • Used to get a new access token without re-logging in when the access token expires.
    • Works until it expires (usually a much longer time, weeks/months).
  3. Re-Login:
    • Required when both the access and refresh tokens are expired or revoked.
    • User must provide credentials again.

Mermaid Version To understand the flow in depth:

sequenceDiagram
    participant User
    participant ClientApp
    participant AuthServer
    participant API

    Note over User,ClientApp: Initial Login
    User ->> ClientApp: Provide credentials (e.g., username, password)
    ClientApp ->> AuthServer: Send credentials
    AuthServer ->> ClientApp: Access Token (15 mins) & Refresh Token (30 days)
    ClientApp ->> User: Logged In, Tokens stored (Access Token & Refresh Token)

    Note over ClientApp,API: Session In-Progress (Using Access Token)
    ClientApp ->> API: Send Access Token
    API ->> ClientApp: Response (Success)

    Note over ClientApp,API: Access Token Expired (e.g., after 15 mins)
    ClientApp ->> API: Send Access Token (Expired)
    API ->> ClientApp: 401 Unauthorized (Access Token expired)

    Note over ClientApp,AuthServer: Refresh Token Flow (Client sends Refresh Token)
    ClientApp ->> AuthServer: Send Refresh Token
    alt Refresh Token Valid
        AuthServer ->> ClientApp: New Access Token
        ClientApp ->> API: Send New Access Token
        API ->> ClientApp: Response (Success)
    else Refresh Token Expired
        AuthServer ->> ClientApp: 403 Forbidden (Re-login required)
        ClientApp ->> User: Redirect to Login (Session Expired)
    end

    Note over User,ClientApp: Re-Login (Required)
    User ->> ClientApp: Provide credentials
    ClientApp ->> AuthServer: Send credentials
    AuthServer ->> ClientApp: New Access Token & Refresh Token
    ClientApp ->> User: Logged In, Tokens refreshed

Enter fullscreen mode Exit fullscreen mode

Image description

Mathematical Example

  • Login → User logs in → Receives access token (15 mins) + refresh token (30 days).
  • Access Token Expiry → After 15 minutes, access token expires → Client sends refresh token to server.
  • Refresh Token Valid → If refresh token is valid → Server issues a new access token → User continues without re-logging in.
  • Refresh Token Expiry → After 30 days (or on logout), refresh token expires → User must re-login to get a new set of tokens.

Image of Datadog

The Essential Toolkit for Front-end Developers

Take a user-centric approach to front-end monitoring that evolves alongside increasingly complex frameworks and single-page applications.

Get The Kit

Top comments (0)

Postmark Image

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up