-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce latency by including refresh challenge #29
Comments
So a similar pattern to rotating refresh tokens. Folks were discussing other options for reducing round trips in #12--you could add something like this to the simplified flow proposed there. It might further complicate handling concurrency once you move the logic out of the "special" registration endpoints but it shouldn't be insurmountable. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As I understand it, refreshing the cookies requires the browser to acquire a new challenge, sign it, and then present it
While the server can respond with a
Sec-Session-Challenge
header at any time, the logic to generate the challenge will be at the/securesession
endpoint, not at other server end pointswhen responding to
POST /securesession/start
orPOST /securesession/refresh
, the server could includeSec-Session-Reffresh
headers that have the same content as theSec-Session-Challenge
headers -- and the challenge and optional authorization would be used on the next refresh, removing one round trip in a refresh cycleThe text was updated successfully, but these errors were encountered: