This is unacceptable. How can you be proud of cheating to win?
Even with the exp claim if the user saves the token before they log out they can reuse it until it actually expires, you have to generate jtis and store them in a blacklist which is what the author of the article meant…
Why can't you just change the secret on the server? It would invalidate all sessions.
This is unacceptable. How can you be proud of cheating to win?
Even with the exp claim if the user saves the token before they log out they can reuse it until it actually expires, you have to generate jtis and store them in a blacklist which is what the author of the article meant…
Why can't you just change the secret on the server? It would invalidate all sessions.