My dumbass colleague thinks the best idea to a Restful API backend is to store some kind of session based on the token.

It'd be great if that remained as an idea instead of this 11 month-old system he built before I got in.


Yes, it does mean that if the server boots for whatever reason, everyone has to login again to get a valid token LOL

  • 5
    Seems normal to me. On new version deploy, emergency restart or maintenance restart, all caches should be cleaned up and keys invalidated. Plus, except if it happens once every two hours, I don't see a problem with logging in again, especially with keepass auto-filling the login informations for me.
  • 1
    @Artemix Don't want to be rude here. But do you you get it what the main point of restful apis using jwtokens is?
  • 0
  • 5
    This was the standard years ago.

    Lots of developers don't know what JWT is.

    I share the sentiment, but you shouldn't be an asshole about it. Some people simply don't know. You should explain it to them.
  • 0
    I am by no means an expert here but I have read that both have their merits and demerits. For a simple service, sessions could also be a way to go
  • 0
    @perotti but what if the payload model of the JWTs need to change? Basically, unsupport the "old" payload model.

    It still seems pretty wise to me
  • 0
    @Artemix that's why you'd use validators. You can't blindly accept a token just because.
    Rest APIs shouldn't keep any kind of session
  • 0
    One of my teachers recommend this method for my android app
Your Job Suck?
Get a Better Job
Add Comment