Invalidating client side JWT session -


i've read lot jwt , how create "stateless" sessions through jwt. gist of understand because of signature & expiration, can send entire session saved client , server not have maintain db remember session.

what not understand happens if user needs log out, or need invalidate session before expiration?

technically, instruct browser delete client side, can't sure occurred. token technically still valid , if deletion instructions weren't followed, still used.

is understanding correct? if so, isn't huge fault client-side session management? there methods overcoming aside having server store session or making expiration time short?

there several reason invalidate jwt token before expiration time: account deleted/blocked/suspended, password changed, permissions changed, user logged out admin. question on topic

there several techniques apply or combine depending on use case

1) remove client token local storage

2) token blacklist: store tokens between logout & expiry time, mark expired , check in every request. use unique identifier jti or include last login date , issued @ iat remove old tokens

it needed server storage. if not expect many tokens revoke, use in-memory blacklist. need set entry after updating critical data on user , currenttime - maxexpirytime < lastlogindate (iat)‌​. entry can discarded when currenttime - maxexpirytime > lastmodified (no more non-expired tokens sent). in case not needed store entire token. sub, iat , maybe jti

3) expiry times short , rotate them. issue new access token every few request. use refresh tokens allow application obtain new access tokens without needing re-authenticate , combine sliding-sessions

sliding-sessions sessions expire after period of inactivity. when user performs action, new access token issued. if user uses expired access token, session considered inactive , new access token required. new token can obtained refresh token or requiring credentials

other common techniques

  • allow change user unique id if account compromised new user&password login

  • to invalidate tokens when user changes password, sign token hash of password. if password changes, previous tokens automatically fail verify. extend mechanism other field of interest sign. downside requires access database

  • change signature algorithm revoke current tokens in major security issues

take @ invalidating json web tokens


Comments

Popular posts from this blog

php - Vagrant up error - Uncaught Reflection Exception: Class DOMDocument does not exist -

vue.js - Create hooks for automated testing -

Add new key value to json node in java -