Hacker News new | ask | show | jobs
by gorgonian 2314 days ago
I did exactly this on the last implementation of JWT I did. Common actions wouldn’t hit the database if the token was less than an hour old, but actions like changing email address or password would always check the database.
1 comments
user5994461 2313 days ago
This just made me realize. There is an even simpler way to achieve the same result without a database.

The token includes the time when it was created (iat attribute) so critical actions could check that the token is less than 3 minutes old.

link
gorgonian 2313 days ago
Yeah that’s what I did, with iat info. But I did that for every request, and critical actions always hit the db.
link