What solutions are there to invalidate jwt tokens (jwt access tokens) when a user logs out?

What solutions are there to invalidate jwt tokens (jwt access tokens) when a user logs out?

Daily short news for you
  • Thank you to threads.net from Meta for being the inspiration behind this section on my blog. Initially, I was a bit skeptical about whether creating short posts like this would attract users, whether anyone would come back to read day after day, or if it would all just be like building sandcastles by the sea. As I have often mentioned, creating a feature is not difficult, but how to operate it effectively is what truly matters.

    Now, time has proven everything. The Short Posts section consistently ranks in the top 5 most visited pages of the day/week/month. This means that readers have developed a habit of returning more often. How can I be so sure? Because this section is almost completely unoptimized for SEO on search engines like Google.

    Let me take you back a bit. In the beginning, I was very diligent in posting on threads.net in the hope of attracting many followers, so that I could subtly introduce them to become users of my blog. However, as time went on, I increasingly felt "exhausted" because the Threads algorithm became less and less aligned with my direction. In other words, the content created was not popular.

    For example, my posts often lean towards sharing information, news, or personal experiences drawn from learning or doing something. It seems that such posts are not highly regarded and often get buried after just over... 100 views. Hmm... Could the problem be me? Knowing this, why not change the content to be more suitable for the platform?

    I have observed Threads, and the content that spreads the most easily often contains controversial elements or a prejudice about something, sometimes it’s simply stating something "naively" that they know will definitely get interactions. However, I almost do not like directing users towards this kind of content. People might call me stubborn, and I accept that. Everyone has different content directions and audiences; the choice is theirs.

    So, from then on, I mainly write here. Only occasionally, if I find something very interesting, do I go on Threads to "show off." Here, people still come to read daily; no matter who you are, I am sure that you can recognize the message I want to convey through each post. At the very least, we share a common direction regarding content. Sometimes, the scariest thing is not that no one reads what you write, but that they read it and then forget it in an instant. Quantity is important, but quality is what brings us closer together.

    Thank you all 🤓

    » Read more
  • Zed is probably the most user-centric developer community on the planet. Recently, they added an option to disable all AI features in Zed. While many others are looking to integrate deeper and do more with AI Agents. Truly a bold move 🤔

    You Can Now Disable All AI Features in Zed

    » Read more
  • Today I have tried to walk a full 8k steps in one session to show you all. As expected, the time spent walking reached over 1 hour and the distance was around 6km 🤓

    Oh, in a few days it will be the end of the month, which means it will also mark one month since I started the habit of walking every day with the goal of 8k steps. At the beginning of next month, I will summarize and see how it goes.

    » Read more

Problem

Authenticating users through token-based authentication is becoming increasingly popular as the client-server model is widely used. While session or cookies were commonly used to identify user sessions in the past, now we have another option which is token-based authentication, especially jwt.

Jwt is a string used for identification, usually the user's login session. Jwt works by digitally signing the attached token payload for authentication.

For example, if we need to store basic information to identify a user:

{
    "user_id": 1,  
    "role": "user",  
}

Jwt will encode that information along with a "signature", which can only be verified by the server. A valid jwt also means the accompanying information is accurate.

In the jwt, the exp attribute is the expiration time of the token. A signed token will have an expiration time. The token becomes effectively invalidated after that time. Jwt is designed to reduce querying the database for identity information. The server only needs to authenticate the token and retrieve the necessary information.

Therefore, jwt is only truly invalidated when the exp has expired. So how do we revoke a jwt token when a user logs out? Since logging out essentially means ending the session, the token must no longer be valid.

Simply delete the token from the browser

Clearly, this method does not have any effect on server-side security, but it is the simplest approach. When applying this method, pray that hackers do not get hold of your token before you log out. Just kidding, you should only apply this method when security is not too strict.

Create a blacklist

You can store invalid tokens until their signed expiration date and compare them with incoming requests.

However, this seems to break the principle of not querying the database from the beginning, as you will need to query the database for every request.

But the storage data may be lower, as you only need to store the tokens that users have logged out of.

This method also brings a major risk as you are still unsure if the token was stolen before you logged out. Or suppose before making the logout request, the client had an error and couldn't query, but it already deleted the data on the client, causing the token to not really be added to the blacklist on the server.

Keep token expiration time short and refresh them frequently

If you have heard of refresh tokens, this is the method that uses refresh tokens to reduce the expiration time of the tokens to the lowest possible.

Keeping the expiration time of the token short makes the token only exist for a short period of time, forcing the use of a refresh token to obtain a new token and keep rotating like that. If the token or refresh token is leaked, we can simply add that refresh token to the blacklist. This also helps reduce the storage data in the blacklist compared to keeping the access token.

So what should we do when a user's token is found to have leaked?

In any case, be prepared to face a user's token being leaked and you have to handle them. The simplest solution is to invalidate the identifier id stored in the token's payload. For example, if the payload you sign for the token includes:

{
    "user_id": 1,  
    "role": "user",  
}

Then change the id of the user to 1 in the database. Or if it is serious, change the secret used to sign the token to immediately invalidate all issued tokens.

Anyway, this method is only a last resort. What I want to say is, be prepared with backup plans to deal with token leaks at any time. Jwt is designed to reduce server load, but consider the trade-off between performance and security.

Summary

Access Token is a string used to identify a user's session. When the access token is a token created according to the jwt standard, we can identify the user without querying the database. Every jwt token comes with an expiration time, and if it is leaked or handled incorrectly when the user logs out, the user's data is vulnerable to attacks. Therefore, be cautious when handling tokens when a user logs out, and have contingency plans to deal with token leaks at any time.

Premium
Hello

The secret stack of Blog

As a developer, are you curious about the technology secrets or the technical debts of this blog? All secrets will be revealed in the article below. What are you waiting for, click now!

As a developer, are you curious about the technology secrets or the technical debts of this blog? All secrets will be revealed in the article below. What are you waiting for, click now!

View all

Subscribe to receive new article notifications

or
* The summary newsletter is sent every 1-2 weeks, cancel anytime.

Comments (1)

Leave a comment...
Avatar
Thành Đỗ3 years ago

Giữ thời gian hết hạn của token trong khoảng thời gian ngắn và làm mới chúng thường xuyên - không hiểu tại sao phải làm thế này trong khi xss có thể lấy được luôn refresh token rồi

Reply
Avatar
Xuân Hoài Tống3 years ago

Bạn nói đúng có thể lấy đc refresh token nhưng mục đích của refresh token là giữ cho access token có thời gian hết hạn ngắn nhất có thể, nếu chẳng may bị lộ bạn có thể block refresh token thay vì rất nhiều access token có thời gian hết hạn lâu dài mà bạn tạo ra

Avatar
Thành Đỗ2 years ago

Ý mình là hacker vẫn lấy được refresh token ấy