|
|
|
|
|
|
by geezerjay
2734 days ago
|
|
|
> If you have to track revoked tokens you might as well track active sessions via a session ID. No. Tracking revoked tokens is only necessary if for some reason a server wants to reject a valid token, and that's only required until the token expires. The use of nonces to avoid replay attacks is also a widely established practice, thus we're not talking about extra infrastructure. Tracking revoked tokens also doesn't take up any resources as tokens are designed to be short-lived. |
|
|