Project specific implementations: Session management strategy - devrath/RunTracer GitHub Wiki

Why session management is necessary

• Our API must be secure so a hacker can't make an API request by impersonating another person's name.
• This mechanism is called authentication
• There are many mechanisms of authentication, Here we use the refresh-token mechanism or O-Auth.
• The session management mechanism helps us to avoid re-login every time the session token exires by using the below mechanism.

How this authentication mechanism works

• There are 2 tokens
  • Access token
    • It is very short-lived and does not have a short validity.
    • This is the token that we send to the API every time to tell the API who we are.
    • This token has a validity defined by the server.
  • Refresh token.
    • It is long-lived and has a long validity.
    • It gets changed in a very specific scenario

When we receive both the tokens

• When we log into the application, We receive a pair of tokens. One is an access token and another is a refresh token.

How long the refresh token can be used

• It is used to make requests until it is valid and defined by the server(ex:1-hr).

How long the access token can be used

• it is used to get the new access-token when the refresh-token is expired.

How the API will notify that the refresh token is expired

• When the refresh token is expired, the API will return 401 indicating auth-token is expired, Here we can use the refresh-token to get the new auth-token.