I read somewhere that the server has to maintain no state about issued tokens. How is this accomplished? Eventually I'd need to query the DB to find who the person bearing the token is.
Can someone explain the paradigm to me?
Thanks.
Asked
Active
Viewed 365 times
1
-
JWTs contain all information needed, including user ID or some other identifier. – tkausl Jun 05 '21 at 16:22
-
Does this answer your question? [Why JWT is a stateless authentication?](https://stackoverflow.com/questions/55881611/why-jwt-is-a-stateless-authentication) – jps Jun 05 '21 at 17:40
1 Answers
0
Stateful means the server has information in memory that is not stored to a database.
Imagine a word document and two people edit it simultaneously. Word for each user has its own state. This means you can say undo and it knows what you have done, so it can undo. Important: This information is not persisted to any database but just available in the server state. When you restart the server (or Word) this information is lost and you can’t undo recent changes.
What this means for JWT is, that the server does not keep your session in memory. This in turn means it doesn’t remember your last request was authenticated, but instead it requires you to send the token on each request.
The terminology is indeed a bit confusing as the data in the database is sometimes also referred to as (application) state.
Felix Dolderer
- 161
- 2
- 8