what makes refresh tokens more secure then access tokens?
Answered
Chinese Chongqing Dog posted this in #help-forum
Chinese Chongqing DogOP
hey, im new and i just got into the security stuff and found out about access & refresh tokens, but i cant find the point what makes refresh tokens more save then access tokens.
so i know the main difference is that access tokens are short lived and refresh tokens long lived and are used to revalidate access tokens so the user doesent need to login every 10minutes, but i dont underdstand why refresh tokens make it so much more secure then just using access tokens since both the access and the refresh token are saved mostly in the same way so if a hacker would get the possibility to hack a token he could just take the refresh token instead of the access token?
so i know the main difference is that access tokens are short lived and refresh tokens long lived and are used to revalidate access tokens so the user doesent need to login every 10minutes, but i dont underdstand why refresh tokens make it so much more secure then just using access tokens since both the access and the refresh token are saved mostly in the same way so if a hacker would get the possibility to hack a token he could just take the refresh token instead of the access token?
Answered by riské
it can be from network sniffing, like the refresh token will only be sent twice (when u recieve it and when u use it again to get new tokens). this means that if someone is intercepting your traffic they prob will only get a token that lasts a day or so
8 Replies
it can be from network sniffing, like the refresh token will only be sent twice (when u recieve it and when u use it again to get new tokens). this means that if someone is intercepting your traffic they prob will only get a token that lasts a day or so
Answer
you have to be careful with it to not be so frequent that user sees first load as slower
if your using this with cookies and sending both at same time, then year theres like no benifit
the thing i like about is that if they copy your tokens then without force getting a new one (where there user notices as not logged out) then the damage of being able to do things is only that short time not a month or year depending on your strat
Chinese Chongqing DogOP
so the only benefit is that the refresh token is not exposed as much as the access token, thus reducing the risk of getting leaked somewhere
Yeah thats my understanding
I see it more with oauth then web apps as its kinda annoying to do
Like you can't really ssr as cool and many things like a normal token that can refresh itself