问题
Here is what my project structure look like
- UI: AngularJS app
- Backend: Java + MongoDB stateless app
The UI authenticates a given user and the REST api responds with a JWT token. For every subsequent request, the REST api expects token in the header and if its not there it returns Unautorized error.
Now, what is best way to implement logoff feature ? One thing is clear that i will be deleting the token from the UI cookie. But I need to tell server that the user has logged out.
I was thinking to maintain an in-memory db to keep track who has logged in and remove the user from memory once he is logged out BUT it would make the app some sort of stateful (I guess). Also, it could become complicated to scale the app since i would have to replicate the in-memory users across all nodes.
For every REST call, I am fetching the user-details from MongoDB. Would it make sense to use the DB to store the logged in status ? I am just thinking out loud. Since i don't know what directions to head.
回答1:
If you are using JWT's to maintain sessions client-side, then the server should have no concept of logged in and logged out users.
This is the price you pay for deciding to use JWT's (which may be fine of course, depending on your risk appetite for the application).
If you wish to log users out server-side, then you should scrap the JWT model and record sessions server-side. That way you can delete the server-side record as well as the cookie on logout.
来源:https://stackoverflow.com/questions/39238543/log-out-a-stateless-app