Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Issue] Invalidating tokens on logout #72

Open
areebbeigh opened this issue Dec 28, 2018 · 1 comment
Open

[Security Issue] Invalidating tokens on logout #72

areebbeigh opened this issue Dec 28, 2018 · 1 comment

Comments

@areebbeigh
Copy link

areebbeigh commented Dec 28, 2018
edited
Loading

The server doesn't have any way of invalidating a user's JWT once he/she has logged out. I was able to get the JWT from the request header, logout and still access protected APIs from postman using the old JWT.
@areebbeigh areebbeigh changed the title Invalidating tokens on logout [Security Issue] Invalidating tokens on logout Dec 28, 2018
@areebbeigh
Copy link
Author

Since it is possible to steal a logged in user's JWT as well, an implementation of a combination of solutions discussed here should work fine?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@areebbeigh