Jwt-auth: Where are tokens stored?

Created on 1 Mar 2018  路  9Comments  路  Source: tymondesigns/jwt-auth

Hello all,

That's not really a bug or an issue, but more a technical question.
Where does jwt-auth store tokens on the server side?
I mean they are not in the database, and I couldn't find them persisted on the disk..?

Thanks

Environment

| Q | A
| ----------------- | ---
| Bug? | no
| New Feature? | no
| Framework | Lumen
| Framework version | 5.6
| PHP version | 7.2

picture HamzaElgarrab

Most helpful comment

And how are the tokens blacklisted? How works the invalidate() and logout() methods? :thinking:

https://jwt-auth.readthedocs.io/en/develop/auth-guard/

picture nelson6e65 on 31 Jan 2019
👍4

All 9 comments

look here.
https://github.com/tymondesigns/jwt-auth/issues/1480

seth-shi picture seth-shi on 2 Mar 2018
👍2 🎉1

@DavidNineRoc Brilliant, thanks.

If someone is having the same question, the tokens are stateless, which means they contain the information necessary to identify a user. The is no need to store them.

HamzaElgarrab picture HamzaElgarrab on 2 Mar 2018
👍3

Can I get a confirmation that because they're stateless, upon a server migration, the tokens will not expire a users existing session. (with an expiration time of never, since this is a mobile app session.)

I don't need to copy anything over from storage/cache to move over to a new server?

@DavidNineRoc

arianitu picture arianitu on 7 Jan 2019

@arianitu If you set the expiration time long enough and you have to make sure thatJWT_SECRETis consistent, you can try the test.

seth-shi picture seth-shi on 8 Jan 2019

I did the server migration and no sessions expired, the Stateless feature is very cool!

Cheers.

arianitu picture arianitu on 10 Jan 2019
👍4

And how are the tokens blacklisted? How works the invalidate() and logout() methods? :thinking:

https://jwt-auth.readthedocs.io/en/develop/auth-guard/

nelson6e65 picture nelson6e65 on 31 Jan 2019
👍4

Hi, I have the same question. Will I have a huge directory full of invalidated tokens? Thanks.

dhcmega picture dhcmega on 4 Mar 2019
👍1

@nelson6e65 @dhcmega The use of tokenis not required to store it, but when you use the blacklist feature, you need a storage material to save these. The blacklist, may be file, db, redis. depends on your system, so that the use of the cache will be more and more, and this is inevitable, unless you can find a better solution.

seth-shi picture seth-shi on 5 Mar 2019
👍1

Hi @DavidNineRoc, thanks for your answer. Once a token expired and it's not renewable, will still be kept in the store? I think it would make sense to delete tokens that aren't valid anymore themselves.

dhcmega picture dhcmega on 5 Mar 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

functionpointdaniel picture functionpointdaniel  路  3Comments
harveyslash picture harveyslash  路  3Comments
johncloud200 picture johncloud200  路  3Comments
shah-newaz picture shah-newaz  路  3Comments
gandra picture gandra  路  3Comments