- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
🎯 JWT Token Expiry in Production — How would you redesign it? #jwt #techinterview #interviewprep
🎯 Interview Question: “Your JWT token is getting expired frequently in production. Users need to login repeatedly. How will you redesign token management?”
This question checks:
✅ Authentication flow
✅ JWT lifecycle management
✅ Security vs User Experience tradeoff
✅ Refresh tokens
✅ Token revocation
✅ Microservices understanding
Step 1: Identify the problem
Suppose Access Token expires every 15 mins:
❌ Users login repeatedly
❌ Poor user experience
❌ More load on auth server
Need a better design.
Step 2: Use Access Token + Refresh Token
Industry standard approach:
🔹 Access Token (Short-lived)
• Expiry → 10–15 mins
• Used in API calls
• Short expiry improves security
Example:
Authorization: Bearer access_token
🔹 Refresh Token (Long-lived)
• Expiry → 7/30/90 days
• Generates new access tokens
• Avoids repeated login
Flow:
Login
↓
Server returns:
Access Token → 15 mins
Refresh Token → 30 days
↓
Access token expires
↓
Client sends Refresh Token
↓
Server validates it
↓
Issues new Access Token
↓
User continues without login
Step 3: Secure storage
❌ Store in LocalStorage → Risk of XSS attack
✅ Better:
HttpOnly Secure Cookie
Benefits:
✓ JavaScript cannot access it
✓ More secure
Step 4: Refresh Token Rotation (Best Practice)
Whenever refresh token is used:
Old Refresh Token → Invalidate ❌
Generate:
New Refresh Token + New Access Token ✅
Benefit:
If old refresh token is stolen → Useless after rotation
Step 5: Token Revocation
Problem:
JWT is stateless.
After logout, token may still work until expiry.
Solution:
Maintain revoked tokens in:
• Redis
• Database
During validation:
Check → Is token revoked?
If yes → Reject request
Step 6: Sliding Session
Active users:
Keep extending session
Example:
Expire in 30 mins
→ User active
→ Extend another 30 mins
Inactive users expire naturally.
Step 7: Microservices Design
Client
↓
Auth Service
↓
Issues JWT
↓
Microservices validate JWT
Refresh handled only by Auth Service → More scalable
🚀 Answer:
"I’d use short-lived access tokens with long-lived refresh tokens, secure storage, token rotation, revocation using Redis, and optional sliding sessions. This improves security, scalability, and user experience."
This shows production-level thinking beyond JWT basics.
#jwt #techinterview #interviewprep #learnwithme
Видео 🎯 JWT Token Expiry in Production — How would you redesign it? #jwt #techinterview #interviewprep канала Aparna Srivastava
This question checks:
✅ Authentication flow
✅ JWT lifecycle management
✅ Security vs User Experience tradeoff
✅ Refresh tokens
✅ Token revocation
✅ Microservices understanding
Step 1: Identify the problem
Suppose Access Token expires every 15 mins:
❌ Users login repeatedly
❌ Poor user experience
❌ More load on auth server
Need a better design.
Step 2: Use Access Token + Refresh Token
Industry standard approach:
🔹 Access Token (Short-lived)
• Expiry → 10–15 mins
• Used in API calls
• Short expiry improves security
Example:
Authorization: Bearer access_token
🔹 Refresh Token (Long-lived)
• Expiry → 7/30/90 days
• Generates new access tokens
• Avoids repeated login
Flow:
Login
↓
Server returns:
Access Token → 15 mins
Refresh Token → 30 days
↓
Access token expires
↓
Client sends Refresh Token
↓
Server validates it
↓
Issues new Access Token
↓
User continues without login
Step 3: Secure storage
❌ Store in LocalStorage → Risk of XSS attack
✅ Better:
HttpOnly Secure Cookie
Benefits:
✓ JavaScript cannot access it
✓ More secure
Step 4: Refresh Token Rotation (Best Practice)
Whenever refresh token is used:
Old Refresh Token → Invalidate ❌
Generate:
New Refresh Token + New Access Token ✅
Benefit:
If old refresh token is stolen → Useless after rotation
Step 5: Token Revocation
Problem:
JWT is stateless.
After logout, token may still work until expiry.
Solution:
Maintain revoked tokens in:
• Redis
• Database
During validation:
Check → Is token revoked?
If yes → Reject request
Step 6: Sliding Session
Active users:
Keep extending session
Example:
Expire in 30 mins
→ User active
→ Extend another 30 mins
Inactive users expire naturally.
Step 7: Microservices Design
Client
↓
Auth Service
↓
Issues JWT
↓
Microservices validate JWT
Refresh handled only by Auth Service → More scalable
🚀 Answer:
"I’d use short-lived access tokens with long-lived refresh tokens, secure storage, token rotation, revocation using Redis, and optional sliding sessions. This improves security, scalability, and user experience."
This shows production-level thinking beyond JWT basics.
#jwt #techinterview #interviewprep #learnwithme
Видео 🎯 JWT Token Expiry in Production — How would you redesign it? #jwt #techinterview #interviewprep канала Aparna Srivastava
Комментарии отсутствуют
Информация о видео
21 ч. 8 мин. назад
00:00:12
Другие видео канала
🚀 How async/await Improves API Performance #asyncawait #dotnetdeveloper #backenddeveloper #api
Comment your answer below👇 #techinterview #sql #techshorts
🔐 JWT vs OAuth — One of the most confusing authentication interview questions #authentication #jwt
meri company ko Modi ji ki baat se koi fark ni padta 😂#hcltech #officevibes #wfo #modiji #corporate
Your app is slow because of 100k+ requests.What will you choose: Concurrency, Parallelism, or Async?
🎯 Every backend developer should know how to debug this issue. #api #postman #interviewpreparation
📍Mobile Data OFF. Wi-Fi OFF.Still Google Maps knows your location 🤯 #googlemaps #gps
🔐What is JWT? Explained in Simple Words | Most Asked Backend Interview Question #authentication
ToUpper() Confusion 🫤🙇♀️🙇♂️🤔#confusion #coding #techshorts
How would you design a resilient system when a dependent service becomes unavailable? 🔥
🎯Question:Your cache is full. You need to remove one item.Which one will you remove?#interviewprep
🎯Attackers bypass rate limiting using multiple IPs. How would you protect your API in production?
🔥C# interview question asked in top companies #csharp #dotnet #codinginterview #developer
👨💻 How Browser Talks to Server Explained Simply #systemdesign #interviewprep #coderlife
ghamand to hai 🤣🤣🤣🤣 #mastitime #dehradun #gucchupani #travel #shortvideo #funnyvideo
![🎯 Interviewer: Suppose you have an array:[1,2,3,4] Can you split it into 2 subsets with equal sum?](https://i.ytimg.com/vi/wnTEDJUT_Rc/default.jpg)
🎯 Interviewer: Suppose you have an array:[1,2,3,4] Can you split it into 2 subsets with equal sum?
After long time 😊.. so much yummy 😋 😋😋 #lulumalllucknow #cholebhature #yummyfood #lunch
Adventure Rides in the Mountains 😍😍 #mountains #dehradun #love #peacefulvibes
🎯 Every microservices developer should know this concept #microservices #apigateway #techinterview
Why should we avoid PRODUCTION RELEASE on Friday? #deployment #production #techinterview #ytshorts
