Answer the question
In order to leave comments, you need to log in
How to implement JWT Symfony Logout?
Hello everyone
The task is the following. Implemented a small api for authorization and login on the symphony following this instruction
https://smoqadam.me/posts/how-to-authenticate-user...
now the task is to log out the user
on the front (seemingly through Nuxt ) the basic delete methods are implemented which they just cut out the JWT from local storage
, but the request does not actually get to the server
, I somehow need to save the session in the database or somewhere else and when the user logs out, cut it out from there, or, for example, it will be necessary to implement the "sign out from all devices" button or quickly log out all users. You can log them out by simply changing the secretkey for the JWT, but this is not good to do.
Who has any thoughts? how can I log out a user through JWT, because it itself has an expiration time, so substitution and login from a new device are possible in principle
Answer the question
In order to leave comments, you need to log in
The article you link to contains two common mistakes in using JWTs.
1. JWT is used so that you do not have to go to the database for user data. User data is stored in JWT. This slightly increases the load on the network, but immediately reduces the number of requests to the database by half. And this is critical for loaded services. In addition, it allows you to transfer authorization to a separate miuroservice.
2. You will probably ask what to do if the data changes. To do this, reduce the validity period of the token to the minimum value. In order not to go through the authorization procedure again, to renew the validity of this token, a long-term token is issued, by presenting which you can update the short-term token and thereby receive updated data.
The question arises what to do if the user was banned or, as in your case, logged out. Or just his critical data has changed. To do this, a token cancellation registry is organized, in which records are stored for the duration of the token. Such a registry will have a relatively small size, since the storage time of short-term tokens is not high. It's better to organize it on a fast key/value database.
And finally, the difficult question is how to cancel a long-term token for your case. If the token does not have an expiration date, then information about its cancellation will have to be stored forever. True, and requests for its status will be an order of magnitude smaller than requests for the status of a short-term token.
Another way is to store the identifiers of open sessions in the table and in the token, and when updating the token, check if the user has closed the session. This method allows, in particular, to organize a login from only one device when a new login closes all other sessions. And implement forced logout of clients from one device or from the admin panel.
About delogin, you also need to keep in mind that it will always be a bit of a failed operation. Since during the logout there may be no Internet and the api call will fail.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question