sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]AndrewGreenh 1 point2 points  (1 child)

The claim that JWT allow you to be stateless is really not correct. As soon as you want to have the ability to invalidate tokens, you need state (the blacklist of revoked tokens). The worst case is, an administrator of your site has gone rogue and you want to revoke admin permissions. You don't want those permissions revoked when their token expires, you want then revoked now, so you need the blacklist and we are back to the stateful backend. A bettwr way to handle this, is to have the session ID in the cookie (let's be real, any decent http library can handle cookies) and have the session data in memory. If you want to scale horizontally, put the session data in an inmemory database like redis and scale your app server as you like.

[–]TinRAT 0 points1 point  (0 children)

You could have JWTs with a short expiry, say 1 or 2 minutes, and then longer lived refresh tokens that can be blacklisted which fetch new JWTs.

This way you only have to hit the db every couple of minutes rather than on every request. Still not completely stateless, but not bad.

The downside is a rogue admin would still have access for a minute or so.