|
|
|
|
|
|
by batoure
3386 days ago
|
|
|
session invalidation is actually very easy to implement. Its important to think of it as a process instead of a builtin to the standard. In most of our implementations we achieve this by differentiating between the session token and a request token. Requests that actually power the app use tokens that are very short lived. Request tokens are generated by the core auth server using the session token. A session can be invalidated at the core auth server which will then refuse to give request tokens to the bearer. |
|
|