We know that session management can have a huge impact on user experience and customer retention. Imagine if you had to re-authenticate to your most commonly used apps every few minutes?! With that in mind, Passage has added support for long-lived sessions and token revocation, enabling a better user experience and improved security. These additional session management capabilities allow for greater security while providing long-lived sessions often needed for PWA and mobile apps.
Stateless session management means that the session token is not stored anywhere on the server (the Passage server or your application server). This is done in the form of JSON Web Tokens (JWTs), which are JSON-formatted tokens that are cryptographically signed by Passage to ensure they have not been tampered with. To verify a session, an application can use the public key provided by Passage to check the signature on the token. If it passes, the data in the JWT can be trusted.
JWTs provide great session security with low latency because they can be verified without contacting the Passage API. The downside to stateless sessions is that revocation and long lived sessions (common in PWAs) can be difficult, if not impossible, to implement.
That's where refresh tokens come in. Passage now supports a hybrid session management solution that provides the low latency of stateless JWT-based sessions, with the revocation capabilities of stateful sessions.
Here’s how it works: When a user logs into your application with Passage, they are issued an auth token and a refresh token. The auth token is a stateless JWT that can be verified using a public key from Passage. It is designed to be a short-lived. The refresh token is a long-lived stateful token that can be used to get a new auth token when one has expired.
Behind the scenes, Passage isn’t storing these tokens in our database. We store an HMAC of the tokens to ensure that we never hold any data that can be used to access your customer’s accounts.
To provide additional security out of the box, Passage has also introduced refresh token rotation that is enabled by default whenever you use refresh tokens. Rotation means that every time a refresh token is used to get a new auth token, a new refresh token is also issued and the original refresh token is invalidated.
The main reason for this is to prevent replay attacks - someone gaining access to the original refresh token and trying to use it to get an auth token. Passage provides an additional layer of security by detecting when an old refresh token has been compromised, invalidating all tokens related to the compromised refresh token, and requiring the user to re-authenticate.
Here's how to use it: Refresh tokens are disabled by default. To enable this functionality visit Authentication → Session Management in the Passage Console. From there, choose your session timeouts.
Here are some suggestions based on the type of application:
Lastly, if this doesn't meet your requirements for fully stateful sessions, you could instead exchange a Passage JWT for a session token from your application. Then you can manage the session token database or cache, ensure revocation happens immediately, and keep latency low by using caching and reducing external network requests.
There are a lot of different variables that go into designing session management that is secure and doesn’t add friction for your users. Feel free to reach out if you’d like some more information on the options and recommendations above. We are always around in Discord or via email at support@passage.id.