Invalidating the data store
For a new project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a token-based session approach (no key-value store) using JSON Web Tokens (jwt).
The project is a game that utilizes - having a token-based session would be useful in such a scenario where there will be multiple communication channels in a single session (web and socket.io) How would one provide token/session invalidation from the server using the jwt Approach?
But if you want to do it here is the gist: Goals: This requires you to maintain a blacklist(state) on the server, assuming the user table contains banned user information.
This would render all associated tokens invalid, as the associated user would no longer be able to be found.
I also wanted to note that it is a good idea to include the last login date with the token, so that you are able to enforce a relogin after some distant period of time.
The problem with this method, is that it makes it impossible to keep the user logged in between closes of the client code (depending on how long you make the expiry interval).
If there ever was an emergency, or a user token was compromised, one thing you could do is allow the user to change an underlying user lookup ID with their login credentials.
You've essentially made JWT stateful, instead of stateless if you go to the datastore each time. Any other application critical data in the JWT token is changed by the site admin.