Is it a good practice to store JWT Tokens in memory

Question

I wrote an asp.net core 3.0 web api where I am using JWT tokens to authenticate a user. Once the user gets token, he/she can use it until it expires.

What I have done is that I have also stored this token in-memory on authentication, to get other minimal details e.g. username, token generated at and "token".

1. My first question is that is it a good practice? since tokens are stateless and therefore saves server side from the hassle of maintaining it.

2. My second question is that if it is acceptable to do so, then how do I remove this token information from in-memory once a token expires.

3. If I am not storing this token in memory, how to extract information like "get a list of all logged-in users".

Answer 1

1. Yes, it is a good practice to cache the JWT in memory cache like Redis or simple in-memory cache. The newly created tokens are cached in memory with cache eviction time same as token expiration time.
2. When a request comes in to validate token, its first checked whether it exists in memory cache, if not will be looked in to persistent storage like db.
3. When the user invalidates token(ie logged out), it should be removed from cache and update the state to invalidated in db.

In a distributed application, its a challenge to maintain the state. For this reason, its better to have separate caching layer backed by redis. In this way, we can maintain the application stateless.

In addition to token expiration time, you may want to add additional check for validation, depends on the content of JWT like (aud claim, signature verification etc). To retrospect the content of JWT token , you can use tools like below

https://devtoolzone.com/decoder/jwt

Cheers, Lakshmanan

Answer 2

When you say "in memory", does that mean locally on the client machine or somewhere in the server? I'm going to assume you mean client-side for their use.

I'm currently using JWT myself, so here are my recommendations:

1) Save the tokens in session storage. 2) Just empty the session (or wherever you're storing it). 3) You'll definitely need to store it somewhere if you want to access it. But getting a list of all users sounds like you want the data on the back-end. You can keep track of that on a back-end server, but usually these tokens are handled and persisted into databases. But even on a back-end server, you can just have a array of Client objects to track which ones are logged in (i.e. which ones have unexpired tokens).

The typical practice involves generating two tokens (auth token and refresh token) and then checking them against a database when the user submits a token for authentication.