PHP: How to Logout From API using JWT

Question

So I created an API using Token based authentication for Login, now I want to create the logout but I do not know how to go about it.

The login process just uses the following steps:

1. User passes Username and Password to server

2. Server checks DB to ensure user is Valid

3. Token is generated containing uid and other details

4. Token is then passed to User who sends back to server whenever he makes a request

Now I want user to logout, how do I go about it, I do not have power over the user Token anymore.

Answer 1

I also come here in search of a solution, but after reading much I came to few conclusions or say possible situations.

Edit Note:- Never store any potential information in token, as reading the data in token doesn't require the secret key. Secret Key is only for verifying signature of Base64 token. To check this out go to http://jwt.io and paste your token. I added this point because somewhere I saw a developer adding username and password of user in token. Please don't do things like this.

1.) Account logout event is initiated by client, if he wants to logout before expiry time of token. Solution:- Remove the token from every place in client side. It can be stored in DOM, or JavaScript Variable, or HTML key-pair storage, or session storage or cookies storage. Everywhere we can store a value in a browser, we have also rights to delete the values. Once the token is deleted from every corner of this world user is logged out.

Caveat 1 in above solution

What if user is logging out in emergency, like someone might have stollen the token. How to destroy the token?

Answer is same as what will do if our secret key for JWT is stollen. We will quickly change the secret key and regenerate the tokens for logged in users. But in case of users what should we change?User ID( I will say no.). We should add a account locking mechanism similar to mechanism in Debit/Credit cards, where card is locked for 24 hours. But in our case we should have end period of account locking little more than the expiry time of token.

2.) Tokens are just like missiles, once fired we can not ask them to shut down. I am talking about ideal case, if you are storing the reference of fired token in database, than there is no point of using JWT. We can generate a token using any hash generation method.

3.) Set expiry time short. Renew without letting user notice this, a little before the previous token expire. Time can be around 20 seconds. Still you have to consider caveat 1, as any person having a genuine token can ask for fresh token.

4.) We can also add an field IP address in token and check if current IP address of users matches with the one used at the time of login or not. It prevents from remote hackers.

5.) Add a clearly visible Logout button in your user interface for preventing naive users, and guide users to logout from your application every time they are done with your application.

6.) Add a client type in your token meta. For mobile applications check HMAC or IMEI codes, instead of IP address as mobile applications require keep running session as no one wants his or her users to logout from their mobile applications. But compromiser can compromise IMEI and HMAC address although. But randomly using between HMAC, IMEI or any other available string can add a little more security.

7.) I will add more if get to know more such.

Invalidating JSON Web Tokens this thread is also having many good inputs. As mentioned in comment under question.