undefined | Better HN

story

0 pointsspookthesunset6y ago0 comments

For parts of the site where you need to boot somebody instantly... just hit up the authentication server on every request to validate the session. For parts of the site where it doesn’t matter so much, wait for the token to expire....

It isn’t all or nothing.

0 comments

gorgonian6y ago

I did exactly this on the last implementation of JWT I did. Common actions wouldn’t hit the database if the token was less than an hour old, but actions like changing email address or password would always check the database.

user59944616y ago

This just made me realize. There is an even simpler way to achieve the same result without a database.

The token includes the time when it was created (iat attribute) so critical actions could check that the token is less than 3 minutes old.

gorgonian6y ago

Yeah that’s what I did, with iat info. But I did that for every request, and critical actions always hit the db.

j / k navigate · click thread line to collapse

0 comments

gorgonian6y ago

user59944616y ago

This just made me realize. There is an even simpler way to achieve the same result without a database.

The token includes the time when it was created (iat attribute) so critical actions could check that the token is less than 3 minutes old.

gorgonian6y ago

Yeah that’s what I did, with iat info. But I did that for every request, and critical actions always hit the db.

j / k navigate · click thread line to collapse