|
|
|
|
|
|
by spookthesunset
1867 days ago
|
|
|
So all of reddit, every page, needs to reverify its auth token every request? Like, what is the worst that is gonna happen in a five minute window between logout and the token expiring? Sure make the account management pages reverify on every request... maybe even revalidate when you perform a sensitive write action (which is probably far less than 1% of the authenticated traffic). But every read request for a normal user? You are telling me that those all need to re-verify every request? In the case of reddit, by not validating the auth token on every (non-sensitive) read request they could probably shave off 99% of the traffic going to their auth server. Better still it improves page latency as each request doesn't need to block on waiting for a response from the auth server. Faster page loads! And, since you were smart about it... all the stuff where it actually does matter that the token gets verified right away... you can do that too! It's win, win! A lot of people mis-understand JWT or see it implemented incorrectly. JWT is pretty rad, honestly. |
|
|
Yes.
> Like, what is the worst that is gonna happen in a five minute window between logout and the token expiring?
Complete compromise of your reddit account.
> But every read request for a normal user? You are telling me that those all need to re-verify every request?
For information that is not public, yes.
> JWT is pretty rad, honestly.
In the eyes of an attacker, absolutely.