DEV Community

loading...

Discussion on: What is really the difference between Cookie, Session and Tokens that nobody is talking about ?.

andreidascalu profile image
Andrei Dascalu

Not necessarily, since tokens expires. You can, if you want to, but you don't have to. Tokens should have short lifespans like a few minutes and extend their lives through refresh. You don't need to revoke a token for a few minutes, just flag the account to temporarily deny renewal.

Thread Thread
codingsafari profile image
Nico Braun • Edited

usually its more than a few minutes and usually yes you certianly revoke the token as soon as the user clicks logout. You are not going to let the token be valid. And thats just the scenario where probably nothing bad will happen. Sometimes you may know that a token is comprimised and you need to revoke. Even few minutes then can cause damage.

Thread Thread
andreidascalu profile image
Andrei Dascalu

well, like I said, it's up to how you design your application and what concerns you have there. Suffice to say it can be nice to have, but it's not a universal requirement, not by a longshot.

Thread Thread
dev_emmy profile image
nshimiye_emmy Author

yeah, it all depends on how you want to design your application

Forem Open with the Forem app