how to destroy jwt token on logout at server side php

firebase / php-jwt

PHP package for JWT

BSD 3-Clause "New" or "Revised" License

9.3k stars 1.26k forks source link

how to destroy jwt token on logout at server side php #540

Closed gamotmohit closed 1 month ago

gamotmohit commented 9 months ago

There is no code available which can tell how can we destroy JWT token on server in PHP.

GuiiSantos commented 9 months ago

       if(isset($_SESSION['jwt_token'])) {
            unset($_SESSION['jwt_token']);
            $response = ["message" => "Destroyed session token"];
            echo json_encode($response);
        } else {
            $response = ["message" => "User is not logged in"];
            echo json_encode($response);
        }

You can use the unset function in PHP to destroy a JWT token stored in a session, as shown in your provided code. This will effectively remove the token from the session, making it invalid for future requests.

Good luck with your implementation!

bshaffer commented 1 month ago

@gamotmohit that's because the tokens are not stored anywhere by this library. So destroying them would depend on your implementation.

JWTs are created by this library in memory only. Because they are signed, the only way to destroy them would be to remove them from memory, or from whatever cache you're using.

If you have a more specific question, such as how to rotate the keys you are using to sign, try reading up on best practices for securing your application. Good luck!