Destroy Token When Host Is Suspended

Question

User338455301 posted

Hi,

i use asp.net core jwt authentication  , when user login i create token and send to him ,

var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Itisa Secret Key Abroon"));
            var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);
            var tokenOption = new JwtSecurityToken(
                issuer: "https://localhost:44303",
                claims: new List<Claim>
                {
                    new Claim(ClaimTypes.Name,user.UserName),
                    new Claim(ClaimTypes.Role,"Customer")
                }

                ,
                expires: DateTime.Now.AddMinutes(1),  

                signingCredentials: signinCredentials
                );

            var token = new JwtSecurityTokenHandler().WriteToken(tokenOption);

            return token;

but when i change my codes and publish it
i want to upload project in my host (Plesk) and i set host to suspend for upload new dll,
but when i uploaded and set host avtive , the tokens is reset and not find 

how to access token after suspended host and active again ?

Answer 1

User-1764593085 posted

Hi elahi1mahdi,

The token is expired after one minute you could try to set a longer time for it.

expires: DateTime.Now.AddMinutes(120), 

Xing

Answer 2

User338455301 posted

no in logout controller i want to set expireTime to 0 for destroy and invalidate token ,
how to do it ?

Answer 3

User-1764593085 posted

Hi elahi1mahdi,

in logout controller i want to set expireTime to 0 for destroy and invalidate token ,

You cannot manually expire a token after it has been created. Thus, you cannot actually log out with JWT on the server side like you do with sessions.

The value of the JWT is determined by its contents and the keys used to sign the JWT. If the contents and signing keys are identical each time the JWT is created then the JWT value should not change. If the JWT includes different any unique content (i.e. a timestamp) than it will have a different value each time the JWT is issued.

With regard to destroying a JWT - jwt's often expire or you can include some unique data, i.e. a session ID that can be verified in the database.

I think the typical way to 'destory' a jwt so that it may not be reused is to blacklist it in your db.

• Set a reasonable expiration time on tokens
• Delete the stored token from client side upon log out
• <mark class="sv pz et">Have DB of no longer active tokens that still have some time to live</mark>
• Query provided token against The Blacklist on every authorized request

Refer to https://medium.com/devgorilla/how-to-log-out-when-using-jwt-a8c7823e8a6

This answer suggests to use distributed cache, cache token Id and remove it when log out.During authorization, you need to validate if the ID is still inside the cache; if not, refuse authorization (401).

Best Regards,

Xing