0

I've read on various blog posts that a REST API does not require a logout endpoint.

Instead, the front end should just invalidate the token.

I'm using Laravel Sanctum, is this applicable to that?

Could someone explain why the session does not need invalidating on the server? If the token on the server is not invalidated, is there not a chance that a new user could be given the same token and access another user's details?

panthro
  • 22,779
  • 66
  • 183
  • 324

1 Answers1

0

"is there not a chance that a new user could be given the same token and access another user's details?"

no mate, not a chance. because you must generating token with user information, in other words you are "attaching" a token to specified user. you can check this if you want.

Alper
  • 152
  • 1
  • 7
  • So, I do not need to invalidate anything on the server then? I just need to delete the user's local token frontend? – panthro Jan 13 '22 at 12:01
  • you still have to invalidate but not for the reason "a new user could be given the same token" but for security issues. a hacker could pretend like the user. visit here -> https://stackoverflow.com/a/62497133/8968121 – Alper Jan 14 '22 at 08:24