|
|
|
|
|
|
by xorcist
752 days ago
|
|
|
Well, hence (functional). Making the client forget a token sounds trivial. But there's a long tail of clients out there, and many cases where things might get more complicated. Maybe I'm damaged from working in a regulated industry, but a (possibly malicious) client who went through the logout process and could prove someone else reused the token after logout might have a case. Or another of a myriad of unknown possibilities. It's all very unnecessary. There's a reason we all used to invalidate trust server side. It's just so much easier to reason about. |
|
|