From my understanding, the current standard when using JWTs for user sessions is to have a short-lived (expires after maybe 15 minutes) access token and a long-lived refresh token (expires after 24+ hours) which can be used to obtain more access tokens.
There seems to be a handful of reasons for this, the main ones being:
- To decrease server load regarding authentication and session management.
- To prevent an attacker from having long term access if they somehow obtain an access token.
- To prevent new access tokens by revoking refresh tokens.
My concerns are:
- Why do people think 15 minutes is short enough to prevent an attacker from doing whatever they want? A lot of damage can be done in 15 minutes.
- If an attacker can obtain an access token, then they can most likely obtain a refresh token as well. This would allow them to obtain any as many access tokens as they need (until someone figures out that the refresh token has been compromised).
Am I missing something here? Or are JWTs not really meant for security? Are they really only meant to decrease server load?