|
|
|
|
|
|
by leddt
2400 days ago
|
|
|
Since the refresh-token is single-use, the user will be logged out when trying to refresh their own token, and will presumably then login again, which should invalidate the attacker's refresh token. But I agree it's not a perfect system. This is meant to specifically address the problems of long-lived tokens, since JWTs are hard to revoke without checking a blacklist on the server-side. The main problem is that localStorage is more vulnerable to some classes of attacks than secure, http-only cookies. |
|
|