
JWT Multiple Request Refresh Token - Alexeykhr
https://medium.com/@alexeykhr/jwt-multiple-request-refresh-token-693bb24e3a68
======
rp2684
A way to solve this issue would be to synchronise around refresh API calls.
This way, parallel refresh calls will never happen, and in fact, you need to
even do the 2nd onwards refresh call. The trickiest part here is to also lock
across tabs, since the user could have several tabs of your website open and
all of them running in parallel.

This is exactly what SuperTokens.io does in their website SDK. As a user, you
don't need to worry about this and can simply make your fetch / axios calls as
usual.

------
bouke
Seems like a lot of work where a simple session id would suffice. JWT’s are
not the appropriate solution where session-like behavior is wanted.

~~~
rp2684
This problem will also exist if an opaque token is used instead of a JWT (as
long as a refresh token is being used). Now you may argue that we don't need
to use refresh tokens because that's complex, however, in that case, you are
severely compromising on user security. See this please:
[https://supertokens.io/blog/all-you-need-to-know-about-
user-...](https://supertokens.io/blog/all-you-need-to-know-about-user-session-
security?s=y)

