Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I did exactly this on the last implementation of JWT I did. Common actions wouldn’t hit the database if the token was less than an hour old, but actions like changing email address or password would always check the database.


This just made me realize. There is an even simpler way to achieve the same result without a database.

The token includes the time when it was created (iat attribute) so critical actions could check that the token is less than 3 minutes old.


Yeah that’s what I did, with iat info. But I did that for every request, and critical actions always hit the db.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: