...

/

Session Invalidation in a Stateless Architecture

Session Invalidation in a Stateless Architecture

In this lesson, we'll study some session invalidation strategies and how to choose one that's best for your goals.

Stateful web architectures are more efficient

If you’ve ever built a web architecture, chances are that you’ve heard how stateless architectures scale better due to the fact that they do not have to keep track of state. This is true and represents a security risk, especially in the context of authentication state.

In a typical stateful architecture, a client is issued a session ID which is stored on the server and linked to the user ID. When the client requests information from the server, it includes the session ID, so that the server knows a particular request was made on behalf of a user with a particular ID. This requires the server to store a list of all the session IDs it generated with a link to the user ID, and it can be a costly operation.

JWTs, which we spoke about earlier in this chapter, rose to prominence due to the fact that they easily allow stateless authentication between the client and the server so that the server doesn’t have to store additional information about the session. A JWT can include a ...