This post talks about security in web login system.

The utility of refresh token

It is a compromise between using refresh token and re-authentication by username and password. Refresh token reduce the probability of password disclosure and give convenience for users since they don''t have to re-input their passwords repeatly, but it makes the clients hard to implement. Re-authentication can be simply realized though, users have to input their info every time of expiration and take risks of password being stolen.