0

I have an app for user authentication and I ran into this issue where I have user who logged in and has the JWT (JsonWebToken) stored in the cookie. I stored the cookie after I validated the user. Next I, as the admin, remove that user from the database while he/she is still logged in. The since user is still logged, the user has a valid JWT in the browser, so it still thinks that it exists because the way I validate if a user is logged in is through the webtoken. I have been thinking about how to fix this but I haven been able to come up with anything yet.

I also posted this issue on GitHub.

Pete
  • 754
  • 2
  • 13
  • 27

2 Answers2

1

Take a look at Invalidating JSON Web Tokens

There are several techniques to invalidate a JWT token before its expiration when the user situation has changed and you can not not remove from localStorage/cookie: account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin:

  1. Token blacklist: Store tokens that were between logout & expiry time, mark expired and check it in every request. You need server storage. You can include only the ID or use the issued time field. Tokens issued before last update of user would be invalid

  2. Expiry times short and rotate them. Issue a new one every few request. The problem is to maintain user logged when there are no requests (for example closing browser)

Other common techniques:

  • Allow change user unique ID if account is compromised with a new user&password login
  • Include last login date to remove old tokens
  • To invalidate tokens when user changes their password, sign the token with a hash of their password. If the password changes, any previous tokens automatically fail to verify. Extend this mechanism with other field of interest to sign. The downside is that it requires access to the database
Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142
0

One way would be to make the cookie expire by settings its expiration timestamp to a date that has already passed.

Tarun Dugar
  • 8,921
  • 8
  • 42
  • 79
  • I can make the exp time stamp 1 day but what if I delete the user in 1 hour, and the user will be logged in for 23 hrs without even existing. – Pete Jul 23 '16 at 17:06
  • I dont know exactly how, but you modify the expiration time of the cookie when you delete the user. – Tarun Dugar Jul 23 '16 at 17:09