{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 一夜七次 的问题《How to destroy JWT Tokens on logout?》','https://www.manongdao.com/q-184843.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using jwt plugin and strategy in hapijs. I am able to create jwt token while login user and authenticate other API using the same token through 'jwt' strategy. I am setting the token in 'request.state.USER_SESSION' as a cookie where USER_SESSION is token name. Also I am not saving these token in database. But how can I destroy jwt token at the time of logout. Please suggest a way.
相关问题
- npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fs
- google-drive can't get push notifications
- How to reimport module with ES6 import
- Why is `node.js` dying when called from inside pyt
- How to verify laravel passport api token in node /
相关文章
- node连接远程oracle报错
- How can make folder with Firebase Cloud Functions
- @angular-cli install fails with deprecated request
- node.js modify file data stream?
- How to resolve hostname to an ip address in node j
- Transactionally writing files in Node.js
- Log to node console or debug during webpack build
- Get file created date in node
You cannot manually expire a token after it has been created. Thus, you cannot actually log out with JWT on the server side as you do with sessions.
JWT is stateless, meaning that you should store everything you need in the payload and skip performing a DB query on every request. But if you plan to have a strict log out functionality, that cannot wait for the token auto-expiration, even though you have cleaned the token from the client side, then you might need to neglect the stateless logic and do some queries. so what's a solution?
Set a reasonable expiration time on tokens
Delete the stored token from client side upon log out
Query provided token against The Blacklist on every authorized request
The Blacklist
“Blacklist” of all the tokens that are valid no more and have not expired yet. You can use a DB that has TTL option on documents which would be set to the amount of time left until the token is expired.
Redis
Redis is a good option for blackblist, that will allow fast in memory access to the list. Then, in a middleware of some kind that runs on every authorized request, you should check if provided token is in The Blacklist. If it is you should throw an unauthorized error. And if it is not, let it go and the JWT verification will handle it and identify if it is expired or still active.
The JWT is stored on browser, so remove the token deleting the cookie at client side
If you need also to invalidate the token from server side before its expiration time, for example account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin, take a look at Invalidating JSON Web Tokens for some commons techniques like creating a blacklist or rotating tokens