Hacker News new | ask | show | jobs
by hn_throwaway_99 1808 days ago
This conversation comes up all the time when discussing JWTs, and unfortunately I think the issue is usually way overblown:

1. I don't believe there are any real security issues regarding logout if JWTs have a sufficiently short expiration time.

2. The reason this issue comes up is because of compliance audits, who demand that as soon as the user logs out, that the supplied token becomes invalid. However, if the JWT is adequately discarded from the client, the fact that the JWT is still valid for another ~5-10 minutes or so is only a security risk if the token has already been stolen. The fact of the matter here is you really aren't protecting against a new attack vector with this "must immediately revoke tokens on logout" rule.

3. Despite my beliefs with #2 (and I'd love to hear an argument why this isn't valid), good luck trying to convince an auditor about that fact, who often love finding minor/mundane issues to justify their existence. So you'll still need to maintain a small blocklist, but the data in that list is usually very small (most users never log out these days) and can often be replicated in memory to each server.
3 comments
IggleSniggle 1807 days ago
I agree with your assessments, and your reply makes sense in the context of the above comments. Simply so that any readers arriving here that didn’t read the article arrive here, I just want to remind that these are not the fundamental complaints of the actual article itself, and are also unrelated to the proposed solution.
link
numbsafari 1808 days ago
This is solved with a revocation list, which only needs to contain the tokens issued within the last ~5-10m for which there is a reason for revocation. Add to that a revocation list for access tokens, which are typically 24h.

The sum of both lists is vastly smaller and easier to manage than distributing session state and maintaining it server side for every single user.

link
coding123 1808 days ago
I'm sure there are employees out there that have their self destruct scripts ready to go. If they are ever terminated they have 10 minutes of token validation time to blow everything up.
link
holtalanm 1808 days ago
that would be insanely illegal.
link