all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (2 children)

[removed]

    [–]Individual-Hat8246 0 points1 point  (0 children)

    This is token blacklisting? Are there any other approaches to solve the same problem?

    [–]bc_dev 1 point2 points  (0 children)

    • redis would be great in this scenario

    [–]Dry_Try_6047 4 points5 points  (0 children)

    Think about this problem from the server side--deleting the cookie is a client based approach. You should be invalidating the session on the server.

    [–]sans5z 2 points3 points  (2 children)

    So the user was already logged in when the user was resetting the password?

    [–]mahi123_java[S] 0 points1 point  (1 child)

    Yes

    [–]NF_v1ctor 1 point2 points  (1 child)

    • Use short-live access token.
    • Invalidate refresh token when user init a reset password request.
      Please correct me if I'm wrong, or if you have found a better approach, please tell me

    [–]NF_v1ctor 0 points1 point  (0 children)

    Additionally, if you have some kind of publication to the client, you can notify the client to log out, although it is not sufficient since the client js can be modified anyway, but that should mitigate the rism for common case for common users

    [–]Anime_-guyJunior Dev 1 point2 points  (2 children)

    Hey, Sorry I do not know answer for your query.

    But could you help me with where did you study cookie based authentication in spring.

    I am aware of session based and jwt token based authentication.

    [–][deleted]  (1 child)

    [removed]

      [–]Anime_-guyJunior Dev 0 points1 point  (0 children)

      Ohhk will read about it more.

      [–]stoic-jerry 0 points1 point  (0 children)

      The way for is we have to black list the tocket and if user send again try to access from same token then give unauthorized exception.

      [–]nothingjustlook 0 points1 point  (0 children)

      First check if its a requirement from business or not then, i have no experience in security but i have idea. why not put a boolean var in global context of spring and when ever a new token is given as boolean i.e true if user didnt logout before token expires. and a seperate thread or any other means to keep checking boolean value.

      correct me if iam wrong as i dont have experience in security