[-] epicspongee@lemmy.blahaj.zone 1 points 1 year ago

It not only verifies that any given incoming request is in the absolute correct format it also validates the timestamp in the user’s cookie (it’s a JWT thing).

This is false.

Lemmy's JWTs are forever tokens that do not expire. They do not have any expiration time. Here is the line of code where they disable JWT expiration verification.

Lemmy's JWTs are sent via a cookie and via a URL parameter. Pop open your browser console and look at it.

There is no way to revoke individual sessions other than changing your password.

If you are using a JWT cookie validation does not matter, you need to have robust JWT validation. Meaning JWTs should have short expiration times (~1hr), should be refreshed regularly, and should be sent in the header.

193
AmeriRule (lemmy.blahaj.zone)

epicspongee

joined 1 year ago