Jump to content

Hash Access and Refresh Tokens in the database - necessary?


mds1256

Recommended Posts

Hi

Is it necessary to hash stored access and refresh tokens that are stored in a database.

Both these tokens have limited lifespan (access token - 20 minutes but refresh token is 14 days).

The reason I ask is I have hashed the tokens using the password_hash function but a user can have multiple active sessions if they want (so there is a sessions table with user id (not username), access token, token expiry date/time, refresh token and refresh token expiry date/time.

So in order to refresh the access token I have to do a look up to see which session it relates to, what I have found is that I must retrieve all rows where the refresh token hasn't expired and then run password_verify against the tokens stored with the tokens provided to check each session to see if they match.

What I have found is that it takes a while to run  the password_verify function (by design I think) for each row (could be many if the users has been silly and logged in lots of time) which would cause an unacceptable delay when calling an API with an access token that needs refreshing (my tests resulted in times upwards of 30 seconds for a user who has around 10 active sessions).

If both tokens were not hashed the same action to refresh a token for a user who has 10 active sessions takes less than a second which is much more acceptable.

Link to comment
Share on other sites

You need to store the values, right? If you don't store them in the database then where else could you? There isn't anywhere better.

There should only be one refresh token in use at a time for a given device. Multiple tokens for an account, sure, but for multiple devices. You should be able to look up the token in your database directly, and without any hashing required.

Link to comment
Share on other sites

6 hours ago, requinix said:

You need to store the values, right? If you don't store them in the database then where else could you? There isn't anywhere better.

There should only be one refresh token in use at a time for a given device. Multiple tokens for an account, sure, but for multiple devices. You should be able to look up the token in your database directly, and without any hashing required.

Thanks for the reply.

I would always be storing them in the database. Each time the user logs in they get a new session (they can just resume a session if they haven’t logged out), so they way I have it is that each session has its own refresh token. Then when the access token has expired for that session it uses the refresh token for that session to generate a new access token (and refresh token as well).

however if a users session is dormant for 15 days and they try to resume a session then the refresh token has expired so they will need to fully log in again.

so do I need to hash the token values in the database when I store them or can they just be left as plain text as they both have a limited lifetime anyway?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.