[iratewizard]

To get around this, one could include the request IP address in the JWT and required a refresh token to be sent when the user's IP switches.

[secureleaf]

This is not a safe method for protecting against this type of cache vulnerability. IP addresses are regularly shared by multiple users, especially when behind NAT (even mobile ISPs are doing carrier grade NAT these days).

[iratewizard]

So there should be no fail safe since it can't be guaranteed to work in every scenario.

[remram]

In this context, this would just prevent everybody from logging in. The JWT would correctly get rejected but people would still be getting the wrong token from the CDN over and over.

[iratewizard]

Which would you rather? The situation you just described or users accidentally spoofing each other's session?