I'm using Laravel 5.2 and tymondesigns/jwt-auth.
Is it possible to blacklist old token if user logged in again without logout? I'm curious about the security of old token.
Any suggestion on how to improve the "always logged in" on mobile device as I am currently use Laravel as the API.
My current configuration is: ttl = 1 hour & refresh_ttl = 2 weeks
You can use the jwt.refresh middleware, which sends back a new token as a header in response. If you have the blacklist enabled, the old token will be immediately blacklisted. Just include jwt.refresh on your login route, and then make sure to capture the response header and update your local key. Then you can make your ttl and refresh_ttl unlimited (ie. 60*60*24*365*10)
Actually @Jeff answer may solve the problem. I need to use jwt.refresh middleware.
My JWT blacklist not working because I'm using array as the CACHE_DRIVER
I have tested with revert it back to file as the CACHE_DRIVER and jwt.refresh is works, old token is blacklisted as it should be.
I marking this as the answer. Thank you, Jeff.
