You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don't believe that this system is very secure, as:
There is no way to invalidate tokens.
On logout, the user is simply passed an expired token.
This means that a bad actor could easily use the old token to access the account.
Only safeguard is sending the token as an httpOnly cookie, which merely prevents scripts from accessing the token on supported browsers.
In general, JWTs should have short times to expiry unless they can be revoked (such as by using a whitelist/blacklist on server).
Decreasing the JWTs time to live will only decrease user satisfaction by requiring more frequent re-logins.
The best way to solve the issue (in my opinion) would be to save some kind of session-based approach. This will reduce the scalability of the app, though this could be improved by implementing a dedicated auth server or by using a 3rd party authentication provider.
Not sure whether this is in the scope of the project, but I wanted to get these concerns out there just in case anyone is considering using this auth scheme in their own projects.
The text was updated successfully, but these errors were encountered:
I don't believe that this system is very secure, as:
In general, JWTs should have short times to expiry unless they can be revoked (such as by using a whitelist/blacklist on server).
Decreasing the JWTs time to live will only decrease user satisfaction by requiring more frequent re-logins.
The best way to solve the issue (in my opinion) would be to save some kind of session-based approach. This will reduce the scalability of the app, though this could be improved by implementing a dedicated auth server or by using a 3rd party authentication provider.
Not sure whether this is in the scope of the project, but I wanted to get these concerns out there just in case anyone is considering using this auth scheme in their own projects.
The text was updated successfully, but these errors were encountered: