undefined | Better HN

0 pointslfrodrigues9y ago0 comments

Token based auth doesn't need to be stateless. In fact in our current implementation it is not.

If you use stateless like JWT (we had this before) you end up having a huge problem: imagine a user wants to logout all the open accounts in different browsers.

How would you handle that? You would need to wait for the expiration of the token, a solution that is not that secure.

0 comments

smashed9y ago

One solution is to store the token in localStorage, which supports events.

You can listen for localStorage changes in all your tabs. When it changes, force a page reload or similar.

Edit: typos

lfrodriguesOP9y ago

I think you didn't understand the issue. Imagine you want to implement a "logout from all my sessions" like Facebook or Google have (sessions in different devices)

j / k navigate · click thread line to collapse