JWT: A solution to let the token expire after a certain time of inactivity?

JWTs are self-describing integrity checked tokens. They are not designed for the use-case you described. JWTs cannot be expired on demand, nor can their validity be extended.

What you can do with these tokens is issue new tokens, just like you described. This will not invalidate the old ones. You will end up generating lots of tokens which will expire by themselves.

Am I missing a major flaw with this approach?

JWTs are not designed for a full-blown session management. They come with various tradeoffs. One of these is the inability to update them or expire them on-demand. The workaround you described works perfectly. I wrote a short post about session management, which should help you decide whether to make the tradeoffs.

In my opinion, you should probably move to the "classical" session management model. It supports idle timeouts and you also won't end up with lots of "sessions" (tokens).

Tags:

Jwt

Related

Should I revoke no longer used Let's Encrypt certificates before destroying them? What are the effects of the Chrome Web Developer extension hijack? Recourse if debit card was used on a suspicious website How to disable CBC-mode ciphers Why do some people think linux machine accounts with passwords are more secure than accounts without passwords? MacOS Ransomware with EFI Lock How to encypt sensitive data in database of a web app? How to use YubiKey through GnuPG on remote server? PayPal payment reversal; scammer at work? Privacy: can my employer access sensitive information if they pay my mobile subscription? I bought the hardware myself Understanding a TLS 1.3 0-RTT replay attack Should a vulnerability in a service that is present on the device, but not running and not used at all, be mentioned in the vulnerability report?

Recent Posts