DEV Community

loading...

Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

Collapse
miquelvir profile image
miquelvir

yes!!! in fact, thats a really used approach. the issue: you have the same revoking issue, long lived refresh tokens can't be revoked. solution: keeping a balcklist of jwt in a DB until they expire... but then it is not stateless

Collapse
tranvansang profile image
Tran Van Sang • Edited

"Long lived refresh tokens can't be revoked" <- this is false, or, at least it is not proved.

Raising a sample solution can be used to prove the possibility. But to prove the imposibility, we have to prove that ALL solutions do not work.

Thread Thread
miquelvir profile image
miquelvir

being really precise, true, i did not do a formal proof on that.. anyway, for the moment it is not known how to revoke such tokens without state, should it be possible... so to practical effects, its the same

Forem Open with the Forem app