|
|
|
|
|
|
by merb
3661 days ago
|
|
|
Eventually JWT has very little Roundtrips. Our current Implementation is: - Really short lived JWT of 1 minute
- If the JWT is invalid and the user didn't do a request in the last minute it does query the database for a session token (we use session tokens and jwt).
if the Token is inside the database/redis/ehcache/whatever the user gets still a new JWT token. Actually we did that since we needed a "sane" way of revoking tokens fast but still keep the user logged in until the browser is closed. We don't have a mobile client (yet) but I guess we try to do something like that, too. just not with a session.
This works really well and mostly our users won't hang around for more than a minute and when they do its not a problem to have a single backend call. |
|
|