Hello there I have an application that generates a JWT token for the user on logging in. But the problem is I want to add the previous JWTtoken to blacklist if the user logged in with a new device. The problem is I don`t know how to get the previous JWTtoken when the user logs in again. Any suggestions?
Asked
Active
Viewed 362 times
1 Answers
0
The big question here is how does the user take a JWT from one device to another? You should be doing your best to hide the JWT, using it mostly in the Request Headers.
But if you are making a JWT accessible there are 2 ways you could approach this problem.
JWT expiration policy - this is the most common technique, the JWT expires after a certain time and the user must re-login. Why this doesn't directly solve the problem of switching devices, it should prevent most cases
Device property - when you generate the JWT add a property to the JWT for the device type "pc", "mobile", "tablet" etc and check that the property matches the user's current device. You could add an authorization step to your router that does this.
jmbmage
- 2,487
- 3
- 27
- 44
-
access token expires in a short time, but the refresh token doesn't, so a malicious user can use previous refresh token for a while. – famdude Jan 10 '23 at 16:29
-
@famdude how about the regular session id, does it know its session from different device? Need to find a way refresh the token only its on the same device. – alucard Mar 03 '23 at 06:22