Last post Jul 22, 2019 05:51 AM by Xing Zou
Jul 21, 2019 04:22 AM|elahi1mahdi|LINK
i use asp.net core jwt authentication , when user login i create token and send to him ,
var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Itisa Secret Key Abroon"));
var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);
var tokenOption = new JwtSecurityToken(
claims: new List<Claim>
var token = new JwtSecurityTokenHandler().WriteToken(tokenOption);
but when i change my codes and publish it
i want to upload project in my host (Plesk) and i set host to suspend for upload new dll,
but when i uploaded and set host avtive , the tokens is reset and not find
how to access token after suspended host and active again ?
Jul 22, 2019 01:51 AM|Xing Zou|LINK
The token is expired after one minute you could try to set a longer time for it.
Jul 22, 2019 03:41 AM|elahi1mahdi|LINK
no in logout controller i want to set expireTime to 0 for destroy and invalidate token ,
how to do it ?
Jul 22, 2019 05:51 AM|Xing Zou|LINK
in logout controller i want to set expireTime to 0 for destroy and invalidate token ,
You cannot manually expire a token after it has been created. Thus, you cannot actually log out with JWT on the server side like you do with sessions.
The value of the JWT is determined by its contents and the keys used to sign the JWT. If the contents and signing keys are identical each time the JWT is created then the JWT value should not change. If the JWT includes different any unique content (i.e.
a timestamp) than it will have a different value each time the JWT is issued.
With regard to destroying a JWT - jwt's often expire or you can include some unique data, i.e. a session ID that can be verified in the database.
I think the typical way to 'destory' a jwt so that it may not be reused is to blacklist it in your db.
Refer to https://medium.com/devgorilla/how-to-log-out-when-using-jwt-a8c7823e8a6
This answer suggests to use distributed cache, cache token Id and remove it when log out.During authorization, you need to validate if the ID
is still inside the cache; if not, refuse authorization (401).