thenouan
commented
7 months ago There's no good way to handle this without introducing SSR for frontend application and hiding JWT from the user browser so that user couldn't access it. It won't solve the exact issue since access token JWT can still be used before it's expiry date even if session has been destroyed (during logout). https://stackoverflow.com/questions/31919067/how-can-i-revoke-a-jwt-token
To mitigate this kind of attack vector we can decrease lifespan of the access token to lesser value
MariusJulius
PID: 10 Short description: JWT tokens should be revoked on the server after logout Full overview in test report.