Force Expiry of JWT

Asked Jul 12 '17 at 08:43

Active Jul 12 '17 at 09:02

Viewed 1,288 times

I am using library 'jsonwebtoken'(jsonwebtoken) in node app for generating JWT. But my requirement according to the business is forcefully invalidate isuued JWT to a user when he/she logs out. Is there any method like jwt.expire(...) or any other jwt library which supports forceful invalidation

Now in my application I have set expiry time for token as 1 hour and token is saved in DB for each user login.If a user logouts before 1 hour token is invalidated in DB. But if an external user identifies the token he can access our resources in the areas where we are not checking DB token invalidation(In many areas we are using method jwt.verify(..) which succeeds till token expiry time 1 hour). My requirement is jwt.verify(..) method for the token should return invalid if the user logs out before 1 hour.

edited Jul 12 '17 at 09:02

asked Jul 12 '17 at 08:43

Seena V P

Basically you'd need to maintain a persisent (i.e not only in-memory) token blacklist, which kind of defeats the purpose of JWT in the first place – nadavvadan Jul 12 '17 at 08:46
how are you managing your token? – Faysal Ahmed Jul 12 '17 at 08:46
1

Possible duplicate of [Invalidating JSON Web Tokens](https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens) – Alex Jul 12 '17 at 08:46

Force Expiry of JWT

0 Answers0