Invalidating JSON Web Tokens

前端 未结 28 2390
夕颜
夕颜 2020-11-22 06:17

For a new node.js project I\'m working on, I\'m thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store conta

28条回答
  •  有刺的猬
    2020-11-22 06:49

    The ideas posted above are good, but a very simple and easy way to invalidate all the existing JWTs is simply to change the secret.

    If your server creates the JWT, signs it with a secret (JWS) then sends it to the client, simply changing the secret will invalidating all existing tokens and require all users to gain a new token to authenticate as their old token suddenly becomes invalid according to the server.

    It doesn't require any modifications to the actual token contents (or lookup ID).

    Clearly this only works for an emergency case when you wanted all existing tokens to expire, for per token expiry one of the solutions above is required (such as short token expiry time or invalidating a stored key inside the token).

提交回复
热议问题