DEV Community


Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

tranvansang profile image
Tran Van Sang • Edited

"Long lived refresh tokens can't be revoked" <- this is false, or, at least it is not proved.

Raising a sample solution can be used to prove the possibility. But to prove the imposibility, we have to prove that ALL solutions do not work.

Thread Thread
miquelvir profile image

being really precise, true, i did not do a formal proof on that.. anyway, for the moment it is not known how to revoke such tokens without state, should it be possible... so to practical effects, its the same

Forem Open with the Forem app