|
|
|
|
|
|
by sehrope
4739 days ago
|
|
|
Yes that's the biggest downfall and also where having a centralized persistent store wins out. The best compromise between the two I've thought of is to have a centralized store that lists revoked tokens. Presumably there wouldn't be that many so storing the recovations alone would be more efficient. Bonus points if you add a Bloom Filter[1] in front of the revocation lookup. In the end it's all about the use case you're solving. If the token's themselves already have a short expiration (ex: password reset token with 5 minutes to live) then revocation isn't really an issue. For something long lived and dangerous (ex: remember me token to log into my bank account) it's much more important. [1]: http://en.wikipedia.org/wiki/Bloom_filter |
|
|
[1] https://github.com/django/django/blob/master/django/contrib/...