You dont need JWT to authenticate users

October 06, 2017

.. because you probably have two use cases:

  1. as a user I want to invalidate a specific session, without signing out all my devices
  2. as the system I want to be able to invalidate a session immediately

You can use a whitelist to define which token is active, or a blacklist where you store tokens you wont allow. In both cases you have to save the token and look it up in your database anyway. That said, you can use a plain old random strings to look up valid sessions (and eventually the user) in the DB.

Tammo Pape

Personal stuff esp. when a tweet is too short..
You can find me on Twitter → @tam_mo