Is it safe to trust old tokens?

Question

Is it safe to trust old tokens?

Amri91 opened this issue 7 years ago · 2 comments

If it is, we can save 1 db hit. And the main purpose of authomatic stores will be to tell us whether refresh tokens have been invalidated.

Answer 1 · 2018-02-14T10:37:05.000Z

This makes the assumption that given enough time, an attacker could forge a signature on a specific payload. I'm not sure exactly how distrusting old tokens solves this issue though, because it all depends on how we determine that an access token is "old".

Answer 2 · 2018-02-14T10:47:11.000Z

I was wrong. I believe the assumption that tokens should not be trusted when they are old is false. But before I remove the logic that does this, I wanted to be sure.

With that said, it is not causing any issues for now except for 1 extra db hit.