Invalidating JSON Web Tokens

Question

For a new node.js project I\'m working on, I\'m thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store conta

Answer 1

If "logout from all devices" option is acceptable (in most cases it is):

• Add the token version field to the user record.
• Add the value in this field to the claims stored in the JWT.
• Increment the version every time the user logs out.
• When validating the token compare its version claim to the version stored in the user record and reject if it is not the same.

A db trip to get the user record in most cases is required anyway so this does not add much overhead to the validation process. Unlike maintaining a blacklist, where DB load is significant due to the necessity to use a join or a separate call, clean old records and so on.