|
|
|
|
|
|
by senko
1362 days ago
|
|
|
> If it claims "My account number is 435" then that's the account number. What if the account number changed since the token was created? This works only for immutable claims. If the truth behind those claims changes in the mean time, you have to be able to invalidate the token, or accept the fact that it serves stale information. |
|
|
Isn't that obvious? I mean, if we were talking about sessions and you put in the session set information that can change outside the session, wouldn't the same problem exist?
I just don't see this as a fundamentally unique problem for JWTs.