For invalidating speed dating homestead
Consider using a short expiration time on the access token and using a refresh token, with a long-lived expiration, to allow for checking of the user's access status in a database (blacklisting). You could store the invalid tokens until their initial expiry date, and compare them against incoming requests.This seems to negate the reason for going fully token based in the first place though, as you would need to touch the database for every request.My own gut (perhaps because it is more traditional) is just to have the token (or a hash of it) act as a key into white-listed session database (similar to #2) above.While it works fine, personally I don't see much difference to traditional session stores.
This coding horror post offers some advice: Keep session bearing cookies (or tokens) short but make it invisible to the user - which appears to be in line with #3.
So, say I have the following (adapted from this and this): Session Store Login: -- A logout (or invalidate) for the Session Store approach would require an update to the Key Value Store database with the specified token.
It seems like such a mechanism would not exist in the token-based approach since the token itself would contain the info that would normally exist in the key-value store.
You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token.
This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.