Invalidating a stale session
There are several reason to invalidate a JWT token before its expiration time: account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin.
This servlet demonstrates session tracking using hidden form fields by displaying the shopping cart for a bookworm.
When a user first accesses the site, that user is assigned a new Http Session object and a unique session ID.
The session ID identifies the user and is used to match the user with the Http Session object in subsequent requests.
Are there any methods to overcoming this aside from having the server store the session or making the expiration time short?
To my understanding we should give every JWT an id and check if it is revoked in a blacklist.
This book includes scripts and tools to hypercharge Oracle 11g performance and you can buy it for 30% off directly from the publisher.
What I do not understand is what happens if your user needs to log out, or you need to invalidate a session before the expiration?But since a blacklist is not stateless this may not be correct.I'm very interested in this topic, thanka for asking.The level of support, however, depends on the server.The minimal implementation provided by the servlet classes in JSDK 2.0 manages sessions through the use of persistent cookies.