18

I am creating a route /user/logout using dusterio/lumen-passport and in the controller action i manually revoke tokens which leads to the user being logged out.

I have two options to log out a user. Revoke the token (which persists the token in the database - just sets a flag telling that the token is useless) and delete the token.

My question is simply this:

What is the best approach to manage tokens? Should i logout by deleting or by revoking?

In future, i will be using redis to store the tokens so i suppose i should delete the tokens since it doesn't make sense to persist expired data in redis server.

Wahyu Kristianto
  • 8,719
  • 6
  • 43
  • 68
d3p4n5hu
  • 411
  • 4
  • 9
  • I think in your scenario by deleting the token you achieve the same result as token invalidation but without the needs of managing invalid token inside your store (whatever it is) – Raffaele Aug 17 '18 at 14:41

1 Answers1

11

1) Revoke / invalidate the token.

2) Every time you call protected API, you should check the token validity and then only serve the request accordingly.

3) In case you encounter an invalid token, redirect a user to the login page and issue a valid token on successful authentication and redirect them to the requested page again.

With this approach, even if there's an existing session open in the same browser's another tab / window, and if the user hasn't yet logged in after logout/session timeout, this will always ensure the usage of valid token all the time.

It definitely doesn't make sense to store expired tokens. Neither it is the right practice to store JWT tokens in the database. They should only be stored in session data and removed / replaced on change of validity.

Therefore, only store single valid JWT token for a particular purpose in session data. Be sure you'll never get the same JWT token ever again assuming your JWT token issuer server has the best implementation. So there's absolutely no point in storing them after expiry.

Aniruddha Kalburgi
  • 385
  • 5
  • 20
  • Please feel free to ask if you have any further doubts. – Aniruddha Kalburgi Aug 14 '18 at 11:03
  • 2
    In JWT there is a setting called 'refresh time' (REFRESH_TTL) which in my case is set to 2 weeks as a default. This is the period you can refresh your token. I understand the question and your answer. Personally I opted to delete tokens when logged out. Revoking tokens blacklist them. – Dimitri Mostrey Aug 17 '18 at 02:34