Access Tokens: Revoke vs Delete
Question
I am creating a route /user/logout using dusterio/lumen-passport and in the controller action i manually revoke tokens which leads to the user being logged out.
I have two options to log out a user. Revoke the token (which persists the token in the database - just sets a flag telling that the token is useless) and delete the token.
My question is simply this:
What is the best approach to manage tokens? Should i logout by deleting or by revoking?
In future, i will be using redis to store the tokens so i suppose i should delete the tokens since it doesn't make sense to persist expired data in redis server.
1 answers
solution1
8 2018-08-14 11:03:13
1) Revoke / invalidate the token.
2) Every time you call protected API, you should check the token validity and then only serve the request accordingly.
3) In case you encounter an invalid token, redirect a user to the login page and issue a valid token on successful authentication and redirect them to the requested page again.
With this approach, even if there's an existing session open in the same browser's another tab / window, and if the user hasn't yet logged in after logout/session timeout, this will always ensure the usage of valid token all the time.
It definitely doesn't make sense to store expired tokens. Neither it is the right practice to store JWT tokens in the database. They should only be stored in session data and removed / replaced on change of validity.
Therefore, only store single valid JWT token for a particular purpose in session data. Be sure you'll never get the same JWT token ever again assuming your JWT token issuer server has the best implementation. So there's absolutely no point in storing them after expiry.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.