![]() ![]() The storage size would likely be lower though, as you would only need to store tokens that were between logout & expiry time (this is a gut feeling, and is definitely dependent on context).ģ) Just keep token expiry times short and rotate them often This seems to negate the reason for going fully token based in the first place though, as you would need to touch the database for every request. ![]() You could store the invalid tokens until their initial expiry date, and compare them against incoming requests. they would have to have stolen the token prior to logout). Obviously this does nothing for server side security, but it does stop an attacker by removing the token from existence (ie. I too have been researching this question, and while none of the ideas below are complete solutions, they might help others rule out ideas, or provide further ones.ġ) Simply remove the token from the client It seems like such a mechanism would not exist in the token-based approach since the token itself would contain the info that would normally exist in the key-value store. Session Store Login: app.get('/login', function(request, response) ) Ī logout (or invalidate) for the Session Store approach would require an update to the KeyValueStore So, say I have the following (adapted from this and this): For example, if this paradigm is vulnerable to the same/different kinds of attacks as the session store/cookie-based approach. I also wanted to understand what common (or uncommon) pitfalls/attacks I should look out for with this sort of paradigm. How would one provide token/session invalidation from the server using the jwt Approach? The project is a game that utilizes socket.io - having a token-based session would be useful in such a scenario where there will be multiple communication channels in a single session (web and socket.io) For a new node.js project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a token-based session approach (no key-value store) using JSON Web Tokens (jwt). ![]()
0 Comments
Leave a Reply. |