undefined | Better HN

0 pointsdrinchev6y ago0 comments

So where do you store the ones that should not allow to be refreshed? How short lived they should be in case of "Reset Password" scenario, when you need to kick out malicious user?

0 comments

tracker16y ago

You can still do a redis or memcached, or even an rdbms table for that matter on revoked tokens... and do a lookup for critical systems... You don't need to do that on EVERY request though. It's really not less difficult than a session server/service/database, and more likely to scale better.

labawi6y ago

GP was talking about every request hitting the DB. A once in 10 min refresh should not be an issue.

kissgyorgy6y ago

that's the whole point. That's the trade off you make, you DON'T implement those features. When you need that, it doesn't make sense to use JWT. Right tools for the right job...

j / k navigate · click thread line to collapse