Not sure that's the real alternative. Sessions need to be stored somewhere server side (while tokens don't) but token are also stored in cookies (just not sent via cookies)
Client side it's the same type of problem. You need to store the session Id or the token somewhere on the client before it's sent back to server, preferably in a way that's protected against xss and csrf.
When using tokens, you still need to maintain a "deny-list" on the backend, with tokens that have been revoked. The overhead is significatly lower than maintaining all the sessions though.
Not necessarily, since tokens expires. You can, if you want to, but you don't have to. Tokens should have short lifespans like a few minutes and extend their lives through refresh. You don't need to revoke a token for a few minutes, just flag the account to temporarily deny renewal.
usually its more than a few minutes and usually yes you certianly revoke the token as soon as the user clicks logout. You are not going to let the token be valid. And thats just the scenario where probably nothing bad will happen. Sometimes you may know that a token is comprimised and you need to revoke. Even few minutes then can cause damage.
well, like I said, it's up to how you design your application and what concerns you have there. Suffice to say it can be nice to have, but it's not a universal requirement, not by a longshot.
Not sure that's the real alternative. Sessions need to be stored somewhere server side (while tokens don't) but token are also stored in cookies (just not sent via cookies)
Client side it's the same type of problem. You need to store the session Id or the token somewhere on the client before it's sent back to server, preferably in a way that's protected against xss and csrf.
yeah sure.
When using tokens, you still need to maintain a "deny-list" on the backend, with tokens that have been revoked. The overhead is significatly lower than maintaining all the sessions though.
exactly!!
Not necessarily, since tokens expires. You can, if you want to, but you don't have to. Tokens should have short lifespans like a few minutes and extend their lives through refresh. You don't need to revoke a token for a few minutes, just flag the account to temporarily deny renewal.
usually its more than a few minutes and usually yes you certianly revoke the token as soon as the user clicks logout. You are not going to let the token be valid. And thats just the scenario where probably nothing bad will happen. Sometimes you may know that a token is comprimised and you need to revoke. Even few minutes then can cause damage.
well, like I said, it's up to how you design your application and what concerns you have there. Suffice to say it can be nice to have, but it's not a universal requirement, not by a longshot.
yeah, it all depends on how you want to design your application