| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by spookthesunset 2314 days ago
	For parts of the site where you need to boot somebody instantly... just hit up the authentication server on every request to validate the session. For parts of the site where it doesn’t matter so much, wait for the token to expire.... It isn’t all or nothing.

1 comments

gorgonian 2314 days ago

I did exactly this on the last implementation of JWT I did. Common actions wouldn’t hit the database if the token was less than an hour old, but actions like changing email address or password would always check the database.

link

user5994461 2313 days ago

This just made me realize. There is an even simpler way to achieve the same result without a database.

The token includes the time when it was created (iat attribute) so critical actions could check that the token is less than 3 minutes old.

link

gorgonian 2313 days ago

Yeah that’s what I did, with iat info. But I did that for every request, and critical actions always hit the db.

link