why use JWT + refresh tokens and not only JWTs???
Unanswered
Chinese Chongqing Dog posted this in #help-forum
Chinese Chongqing DogOP
i asked a similar question [here](https://nextjs-forum.com/post/1415501227738792126) already, but found myself stuck on another thing, why dont you just give the user a jwt token which is valid for 15min and also save it to the db, now the user can do stuff for 15mins and after the jwt expires we check in the db if this old jwt exsists, and if it does we just give him a new jwt and update the old one in the db, doesent this have the same security like with a JWT + refresh token? i see no difference here, other then with my method i only have to care about one cookie and not 2 different ones.
-# pls ping me if you answer
-# pls ping me if you answer
7 Replies
Chinese Chongqing DogOP
i also made a little sketch were the output is the same on both (starting at client (blue))
not sure the point on saving a jwt to db, the whole point is for it to be "stateless"
you if anything loose security
@riské not sure the point on saving a jwt to db, the whole point is for it to be "stateless"
Chinese Chongqing DogOP
i mean the jwt is stateless, it works for 15min without hitting the database and if it is expired only then we compare it with the one in the database and if they match we issue a new one and update the one in the database, so like with a refresh token just that we dont need a refresh token
i meann it solves the issue of forking refresh tokens (ie with one you can make so many new without others effected)
and it doesn't have the same security of refresh as the point is that its only sent twice over network
(not like it matters for 99% of people tho)