On Monday, January 22, 2018 at 9:07:20 PM UTC+13, Roland Weber wrote: > > On Saturday, January 20, 2018 at 12:08:16 AM UTC+1, Lawrence D’Oliveiro > wrote: > > Surely it’s the other way round, the usual practice being to maintain a >> store of *valid* tokens, with a finite lifetime attached to each >> (perhaps reset when they get presented again). The tokens get deleted >> either on explicit logout or implicitly on lifetime expiry. Anything that >> isn’t currently recognized from the store entries is invalid. >> > > Nope, that would require a central store of tokens. >
Which you have to have somewhere anyway. > In single sign-on environments, or with more complex authentication > schemes like OAuth, web servers have to accept tokens that were issued > elsewhere. They don't know about a token until it is presented to them. > Don’t they have to check back with the issuing server(s) to validate those tokens anyway? Then if they pass, keep them in a local cache for some reasonable time, either until their expiry (if that’s not too long) or until they need to be rechecked for validity. Either way, you do *not* want to maintain an ever-growing store of *invalid* tokens, only a limited and regularly-pruned store of *valid* ones. This is all just basic security stuff. -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscr...@googlegroups.com. To post to this group, send email to jupyter@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/c8921e7d-e9cc-4c52-8900-434d55a38406%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.