← Back to Users and Identity

Users and Identity

Session Tokens Must Be Short-Lived and Refresh Tokens Must Be Rotated

9 min read

Access tokens should expire quickly. Refresh tokens must rotate on every use, be stored securely, and be revocable at any time.

Rule

Access tokens must be short-lived and refresh tokens must rotate on use.

Why

Long-lived tokens are a high-value target. Rotation limits the damage window of a stolen token.

Must

  • Set access token lifetime to 15 minutes or less.
  • Rotate refresh tokens on every use (refresh token rotation).
  • Invalidate the old refresh token immediately upon rotation.
  • Support server-side session revocation (sign out everywhere).
  • Store refresh tokens in HttpOnly Secure cookies or encrypted storage, never localStorage.

Should

  • Detect refresh token reuse and invalidate the entire family as a compromise signal.
  • Record session metadata (device, IP, user agent) for security audit.

Anti-patterns

  • Access tokens that never expire.
  • Refresh tokens stored in localStorage.
  • No mechanism to revoke all active sessions.

Test Cases

  • Expired access token rejected with 401.
  • Reused refresh token detects compromise and revokes family.

Telemetry

  • token_refresh_succeeded
  • token_refresh_reuse_detected
  • session_revoked_by (user, admin, security_policy)