mds1256 Posted December 15, 2018 Share Posted December 15, 2018 (edited) Hi Is it necessary to hash stored access and refresh tokens that are stored in a database. Both these tokens have limited lifespan (access token - 20 minutes but refresh token is 14 days). The reason I ask is I have hashed the tokens using the password_hash function but a user can have multiple active sessions if they want (so there is a sessions table with user id (not username), access token, token expiry date/time, refresh token and refresh token expiry date/time. So in order to refresh the access token I have to do a look up to see which session it relates to, what I have found is that I must retrieve all rows where the refresh token hasn't expired and then run password_verify against the tokens stored with the tokens provided to check each session to see if they match. What I have found is that it takes a while to run the password_verify function (by design I think) for each row (could be many if the users has been silly and logged in lots of time) which would cause an unacceptable delay when calling an API with an access token that needs refreshing (my tests resulted in times upwards of 30 seconds for a user who has around 10 active sessions). If both tokens were not hashed the same action to refresh a token for a user who has 10 active sessions takes less than a second which is much more acceptable. Edited December 15, 2018 by mds1256 Quote Link to comment https://forums.phpfreaks.com/topic/308020-hash-access-and-refresh-tokens-in-the-database-necessary/ Share on other sites More sharing options...
requinix Posted December 16, 2018 Share Posted December 16, 2018 You need to store the values, right? If you don't store them in the database then where else could you? There isn't anywhere better. There should only be one refresh token in use at a time for a given device. Multiple tokens for an account, sure, but for multiple devices. You should be able to look up the token in your database directly, and without any hashing required. Quote Link to comment https://forums.phpfreaks.com/topic/308020-hash-access-and-refresh-tokens-in-the-database-necessary/#findComment-1562866 Share on other sites More sharing options...
mds1256 Posted December 16, 2018 Author Share Posted December 16, 2018 6 hours ago, requinix said: You need to store the values, right? If you don't store them in the database then where else could you? There isn't anywhere better. There should only be one refresh token in use at a time for a given device. Multiple tokens for an account, sure, but for multiple devices. You should be able to look up the token in your database directly, and without any hashing required. Thanks for the reply. I would always be storing them in the database. Each time the user logs in they get a new session (they can just resume a session if they haven’t logged out), so they way I have it is that each session has its own refresh token. Then when the access token has expired for that session it uses the refresh token for that session to generate a new access token (and refresh token as well). however if a users session is dormant for 15 days and they try to resume a session then the refresh token has expired so they will need to fully log in again. so do I need to hash the token values in the database when I store them or can they just be left as plain text as they both have a limited lifetime anyway? Quote Link to comment https://forums.phpfreaks.com/topic/308020-hash-access-and-refresh-tokens-in-the-database-necessary/#findComment-1562868 Share on other sites More sharing options...
requinix Posted December 16, 2018 Share Posted December 16, 2018 The values should be random. No point hashing them. 1 Quote Link to comment https://forums.phpfreaks.com/topic/308020-hash-access-and-refresh-tokens-in-the-database-necessary/#findComment-1562869 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.