> storing the "real" expiration in cache so that it can be extended (or revoked)... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Alex3917 on June 18, 2016 \| parent \| context \| favorite \| on: JSON Web Tokens vs. Sessions > storing the "real" expiration in cache so that it can be extended (or revoked) as needed. You can also have a password_last_changed field on your user model, where any token issued before this date is considered invalid. That was if a user's account somehow gets compromised, all they need to do is change their password and then all of their existing sessions are expired automatically. I can't think of any good reason for storing the expiration dates of each individual token, although maybe there is a use case somewhere.

jcoffland on June 18, 2016 [–]

Your missing the whole point. If the server was to track password_last_changed it might as well just track user_currently_loggedin.

yxhuvud on June 19, 2016 | [–]

No, there is a huge difference in write load between those two options.

jcoffland on June 20, 2016 | | [–]

But it's not RESTful which was the entire purpose of JWT.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact