1 like
·
119 reads
3 comments
·Dec 11, 2022
Dec 11, 2022
Don't save tokens in the database. It is the same as saving a user's password in clear text.
·
·2 replies
Author
·Dec 12, 2022
Thanks for the comment and for pointing that out, how should token be handled without using third-party solutions?
·
·Dec 12, 2022
Dec 12, 2022
mathew adetunji Hi. Generally speaking, the safest way to invalidate tokens is by demanding a specific minimum issued at
time.
I explain the logic behind this invalidation method here. This can be refined to apply to refresh tokens only, if you wish, or invalidating per token type.
You'll also see alternative 1 that tells you to key the tokens. Then you can more safely save token keys, not tokens. I discourage this path, though, because of the extra administrative work around maintaining the keys.
·