-
-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reset password, why JWT can still be used #219
Comments
Once a JWT is issued, it generally will be valid until expired or the secret used to generate the token changes. Generally, changing the secret may be very disruptive as it would effectively revoke all outstanding tokens. You have two other options that come to my mind:
It should be noted that both of these solutions turn your JWT into being stateful, that it so say they require the existence of some state on your application to be verified. I am not saying this is a bad thing. Every application has its own needs. Rather, I want to point out that it does mean that the token can no longer be either verified or denied just by inspecting it. Some further information or operation is needed. |
Hi
After the client reset the password, the previous JWT can still be used. What should I do
The text was updated successfully, but these errors were encountered: