[grassfedgeek]

> and immediately realize

That's a narrow scenario isn't it, if you have to "immediately" realize?

[jeroenhd]

The pattern described is a common Discord account theft method and it has proven very effective at locking people out of their accounts.

[grassfedgeek]

The example requires immediate action. If the hacker beats you he can lock you out by taking over the account, it doesn't matter if it is JWT or some other tech.

[nathanmills]

Why would it require immediate action? Most chat services have a rate limit, stopping them at ANY point prevents it from spreading further. The messages don't get all sent at once, they will use the full access period to send as much as they can. Accounts can't typically be taken over with just a cookie, changing passwords normally requires you to confirm your current one. I hope you haven't designed any services where a cookie is enough to lock people out.

[nathanmills]

No, it's called an example. I refuse to provide an example for every possible scenario, as that would not fit in the Hacker News comment limit.