JWT refresh tokens should be stored securely on the server side. Here are the steps to do so:

1. **Create a Refresh Token**: When a user logs in, along with the JWT, also generate a JWT refresh token. This token should have a longer expiry time than the regular JWT.

2. **Store Refresh Token**: Store this refresh token in a secure server-side datastore like a SQL or NoSQL database. The refresh token should be associated with the user in the database.

3. **Send Refresh Token to Client**: Send this refresh token along with the JWT to the client. The client should store this refresh token securely, preferably in the HttpOnly cookie.

4. **Use Refresh Token**: When the JWT expires, the client should make a request to the server with the refresh token. The server should then check the validity of the refresh token.

5. **Generate New JWT**: If the refresh token is valid, generate a new JWT and refresh token and send them to the client. The old refresh token should be invalidated.

6. **Handle Logout**: On logout, the refresh token should be invalidated on the server side.

Remember, storing refresh tokens on the server side helps prevent token theft. If a JWT is stolen, it can only be used until it expires. The thief would not have access to the refresh token, so they cannot get a new JWT.

Question

JWT refresh tokens should be stored securely on the server side. Here are the steps to do so:

1. **Create a Refresh Token**: When a user logs in, along with the JWT, also generate a JWT refresh token. This token should have a longer expiry time than the regular JWT.

2. **Store Refresh Token**: Store this refresh token in a secure server-side datastore like a SQL or NoSQL database. The refresh token should be associated with the user in the database.

3. **Send Refresh Token to Client**: Send this refresh token along with the JWT to the client. The client should store this refresh token securely, preferably in the HttpOnly cookie.

4. **Use Refresh Token**: When the JWT expires, the client should make a request to the server with the refresh token. The server should then check the validity of the refresh token.

5. **Generate New JWT**: If the refresh token is valid, generate a new JWT and refresh token and send them to the client. The old refresh token should be invalidated.

6. **Handle Logout**: On logout, the refresh token should be invalidated on the server side.

Remember, storing refresh tokens on the server side helps prevent token theft. If a JWT is stolen, it can only be used until it expires. The thief would not have access to the refresh token, so they cannot get a new JWT.

Knowee AI · Accepted Answer