Double JWT submit method


I’m implementing my JWT method by using the double submit method: where we separate the payload & header portion of the JWT from the signature.

The header & payload is stored in a separate cookie, not HttpOnly so its accessible by the client, and the signature is HttpOnly.

The implementation seems pretty straight forward, but I’m having an issue understanding how refresh works.

For example, since I’m using firebase, the users jwt token has an expiration of 1 hour. When that expires, we need to automatically refresh the token, but this means we are refreshing the whole token. The whole point of the signature token is to be session long.

How can we refresh just the payload & header part of the token, without it affecting the signature?

The strategy I am using is based on this article: https://medium.com/lightrail/getting-token-authentication-right-in-a-stateless-single-page-application-57d0c6474e3