Reputation: 23472
How to invalidate previous JWT token after refresh
In our application new JWT token is returned in a cookie each time user sends a request, even though previous has still much lifetime. If user makes multiple request in a short period of time, there exists multiple valid tokens almost full lifetime on each. Browser is of course using the latest one, but someone may still use the previous ones to impersonate user.
Is there way to invalidate the previous token when dispatching a new one, or is the only choice to dispatch new token only when there is not much lifetime on the last one?
Upvotes: 1
Views: 1431
Answers (1)
Reputation: 33824
The only way to 'invalidate' tokens is by keeping track of them statefully.
This usually means doing something like keeping a key/value cache of tokens that are valid, and invalid, and checking incoming request tokens against these lists on each request.
The downside to doing things this way is that you lose a lot of the 'stateless' benefits of JWTs (since you are still checking a centralized store for token validity), but the benefit is that you can be more 'secure' by immediately revoking tokens you no longer want service-able.
One workaround is to have your access tokens be extremely short lived (5 minutes or so), to minimize any abuse.
Upvotes: 3
Related Questions
- How to implement refresh token in Spring Boot
- How can I refresh tokens in Spring security
- How do I handle JWT token expiration?
- JAVA : How to invalidate all JWT token of particular user?
- Spring Boot refresh JWT Token on every request as long it's valid
- How to get Refresh Token in spring boot using JWT
- Spring security JWT refresh token not expiring
- Using JWT along with refresh tokens in Spring OAuth2
- Spring Security oauth2 with jwt, revocation of refresh token
- Revoke JWT Oauth2 Refresh Token