Channels
#general
Title
b
bayu
04/10/2022, 9:06 AMhi all, I've read this article https://supertokens.com/blog/the-best-way-to-securely-manage-user-sessions
but I still curious about Notes For Implementation no.4:
4. Detection of refresh token theft does not require the database to explicitly store invalidated tokens. This can be achieved through structuring the refresh tokens using parent-child hierarchies (see Github implementation).
can anyone explain about this
parent-child hierarchiesr
rp
04/10/2022, 9:08 AMHey!
So all refresh tokens for a session have the session ID embedded in them (and they are signed too). So if the signature matches, and the session handle is in the db, then we can assume that we created the refresh token. If the refresh token itself is not in the db, and it’s not a child of the refresh token that’s in the db, it means this refresh token was previously used and exchanged for anew refresh token. Hence we can assume it’s stolen
b
bayu
04/10/2022, 9:24 AMso a new child refresh token have a "replacingParentRefreshTokenId" data? if its signature matches and the parent currently on the db then we can assume the new child refresh token is authentic?
in short, we just need to store the parent refresh token?
user can generate new multiple child refresh token, but once one of them used to get new access token, its parent refresh token is replaced?
r
rp
04/10/2022, 9:25 AMYes. Exactly. And then the child becomes the parent for new refresh tokens.
b
bayu
04/10/2022, 9:28 AMahh I see, Thank you so much for your explanation! 😀
r
rp
04/10/2022, 9:28 AMAre you implementing this on your own? Or just curious?
And are you using supertokens?
b
bayu
04/10/2022, 9:32 AMyeahh I curious and want to try implement this on my own just to learning.
I read and learn a lot article by supertokens, i interested but still want to know how supertokens work inside
thank you so much!
r
rp
04/10/2022, 9:35 AMFair! Our code is open source too. So that could help
b
bayu
04/10/2022, 9:39 AMwow its help so much, i've explored the java code but im lost XD. didn't know all explained well on the wiki. thank you!
2 Views