DEV Community

Discussion on: Simple Intro to JWT Basics

Collapse
 
joshuatz profile image
Joshua Tzucker

These are all great points; I strongly agree that creating lists of JWTs and trying to force them into a session-shaped box is indicative that a developer might need to rethink their approach.

Re: Session continuation
You're right, and I've updated my post. It sounds like most people recommend using a short token duration, and auto-refreshing/exchanging as long as the site/app is kept open. Then the user only gets logged out after prolonged inactivity. It still rubs me the wrong way that this approach is recommended as a way to emulate "true" logout functionality, even by Auth0.

Re: Signing algorithms
Again, you're absolutely right. I missed that when researching JWTs, and have updated my post. I've kept my examples as symmetric, to reduce the complexity of the post, but added a disclaimer about symmetric vs asymmetric.