{"id":11401,"date":"2026-02-20T11:42:25","date_gmt":"2026-02-20T02:42:25","guid":{"rendered":"https:\/\/www.skyer9.pe.kr\/wordpress\/?p=11401"},"modified":"2026-02-20T21:49:24","modified_gmt":"2026-02-20T12:49:24","slug":"refreshtoken-%ec%9d%84-%ec%95%88%ec%a0%84%ed%95%98%ea%b2%8c-%ec%83%9d%ec%84%b1","status":"publish","type":"post","link":"https:\/\/www.skyer9.pe.kr\/wordpress\/?p=11401","title":{"rendered":"refreshToken \uc744 \uc548\uc804\ud558\uac8c \uc0dd\uc131"},"content":{"rendered":"

refreshToken \uc744 \uc548\uc804\ud558\uac8c \uc0dd\uc131<\/h1>\n

refreshToken \uc740 \uc11c\ubc84\uc5d0\uc11c Set-Cookie: HttpOnly; Secure; SameSite=Strict<\/code> \ub85c \ud074\ub77c\uc774\uc5b8\ud2b8 \uc804\uc1a1\ud558\ub294 \ubc29\ubc95\uc744 \uc124\uba85\ud569\ub2c8\ub2e4.<\/p>\n

Cookie \uc0dd\uc131 \uc720\ud2f8\ub9ac\ud2f0 \ud074\ub798\uc2a4<\/h2>\n
import jakarta.servlet.http.Cookie;\nimport org.springframework.http.ResponseCookie;\nimport org.springframework.stereotype.Component;\n\n@Component\npublic class CookieUtil {\n\n    public ResponseCookie createRefreshTokenCookie(String refreshToken, long maxAgeInSeconds) {\n        return ResponseCookie.from("refreshToken", refreshToken)\n                .httpOnly(true)    \/\/ JS \uc811\uadfc \ubc29\uc9c0\n                .secure(true)      \/\/ HTTPS \ud658\uacbd\uc5d0\uc11c\ub9cc \uc804\uc1a1\n                .path("\/")         \/\/ \ubaa8\ub4e0 \uacbd\ub85c\uc5d0\uc11c \ucfe0\ud0a4 \uc804\uc1a1\n                .maxAge(maxAgeInSeconds)\n                .sameSite("Strict") \/\/ CSRF \uacf5\uaca9 \ubc29\uc5b4\n                .build();\n    }\n}<\/code><\/pre>\n
\ucee8\ud2b8\ub864\ub7ec\uc5d0\uc11c \ucfe0\ud0a4 \uc804\uc1a1\ud558\uae30<\/h2>\n
@RestController\n@RequestMapping("\/api\/auth")\npublic class AuthController {\n\n    private final CookieUtil cookieUtil;\n\n    public AuthController(CookieUtil cookieUtil) {\n        this.cookieUtil = cookieUtil;\n    }\n\n    @PostMapping("\/login")\n    public ResponseEntity<?> login(@RequestBody LoginRequest loginRequest) {\n        \/\/ 1. \uc0ac\uc6a9\uc790 \uc778\uc99d \ub85c\uc9c1 (\uc0dd\ub7b5)\n        \/\/ 2. \ud1a0\ud070 \uc0dd\uc131\n        String accessToken = "access-token-string";\n        String refreshToken = "refresh-token-string";\n\n        \/\/ 3. Refresh Token\uc744 \ub2f4\uc740 \ucfe0\ud0a4 \uc0dd\uc131\n        ResponseCookie cookie = cookieUtil.createRefreshTokenCookie(refreshToken, 7 * 24 * 60 * 60);\n\n        \/\/ 4. Access Token\uc740 \ubc14\ub514\uc5d0, Refresh Token\uc740 \ud5e4\ub354(\ucfe0\ud0a4)\uc5d0 \uc124\uc815\n        return ResponseEntity.ok()\n                .header(HttpHeaders.SET_COOKIE, cookie.toString())\n                .body(new LoginResponse(accessToken)); \n    }\n}<\/code><\/pre>\n
\ud074\ub77c\uc774\uc5b8\ud2b8\ub85c\ubd80\ud130 \ucfe0\ud0a4 \uc77d\uae30<\/h2>\n
@PostMapping("\/refresh")\npublic ResponseEntity<?> refresh(\n    @CookieValue(name = "refreshToken") String refreshToken) {\n\n    \/\/ 1. \uc720\ud6a8\uc131 \uac80\uc99d \ubc0f \uc0c8\ub85c\uc6b4 Access Token \uc0dd\uc131 \ub85c\uc9c1\n    if (isValid(refreshToken)) {\n        String newAccessToken = "new-access-token";\n        return ResponseEntity.ok(new LoginResponse(newAccessToken));\n    }\n\n    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();\n}<\/code><\/pre>\n
application-dev.yml, application-prd.yml \uc5d0\uc11c Secure \ucc98\ub9ac<\/h2>\n
Secure(true) \uc124\uc815 \uc2dc, http:\/\/localhost<\/a> \ud658\uacbd\uc5d0\uc11c\ub294 \ucfe0\ud0a4\uac00 \uc800\uc7a5\ub418\uc9c0 \uc54a\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n
application-dev.yml<\/p>\n
auth:\n  cookie:\n    secure: false\n    same-site: Lax # \ub85c\uceec \uac1c\ubc1c \uc2dc\uc5d0\ub294 Strict\ubcf4\ub2e4 Lax\uac00 \ud3b8\ub9ac\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/code><\/pre>\n
application-prd.yml<\/p>\n
auth:\n  cookie:\n    secure: true\n    same-site: Strict<\/code><\/pre>\n
@Component\npublic class CookieUtil {\n\n    @Value("${auth.cookie.secure}")\n    private boolean isSecure;\n\n    @Value("${auth.cookie.same-site}")\n    private String sameSite;\n\n    public ResponseCookie createRefreshTokenCookie(String refreshToken, long maxAgeInSeconds) {\n        return ResponseCookie.from("refreshToken", refreshToken)\n                .httpOnly(true)\n                .secure(isSecure)     \/\/ yml \uc124\uc815\uac12 \uc801\uc6a9\n                .path("\/")\n                .maxAge(maxAgeInSeconds)\n                .sameSite(sameSite)    \/\/ yml \uc124\uc815\uac12 \uc801\uc6a9\n                .build();\n    }\n}<\/code><\/pre>\n
\uc8fc\uc758\uc0ac\ud56d<\/h2>\n