[devmunchies]

yikes. It doesn't support the security feature of logging everyone out of the account? So if a someone gets access to your account they're in for good.

[silviogutierrez]

Sounds like JSON web tokens! Should have stuck to sessions if that's the case.

Admittedly, the performance benefits of jwt are probably warranted here. But still, you either end up building an in-memory blacklist or a DB table thus negating most benefits.

[tracker1]

I often tend to just use relatively short lived tokens (12 hrs mostly), which avoids a lot of issues in practice. It depends on the use case. Depending on their DB systems and caching infrastructure, the JTI in as a key in a revocation database would work. It's not always worth implementing though.

[echelon]

It's not that hard to build a highly available active-active session service given time and engineering headcount.

It's hard if you're trying to get out the door fast, though.

[silviogutierrez]

Yea I'm not saying it's impossible. But I'm saying it's probably easier to just make traditional cookies/sessions scale.

I went through my shiny jwt phase. I'm happily back in session land though.

[tedunangst]

Sounds like that's exactly what did happen, at least to some users. Someone got access and logged out the original owner. Which is why they're complaining.