Evaluate your knowledge of securely logging out users in JWT and token-based authentication systems, focusing on session invalidation, token revocation, and common security risks. This quiz highlights essential strategies and best practices for developers and security testers dealing with token management in modern authentication flows.
Where should JWTs ideally be stored on the client side to minimize the risks of cross-site scripting (XSS) attacks?
Explanation: Storing JWTs in memory only (such as in a variable) greatly reduces the surface for XSS vulnerabilities since they are not accessible by scripts after a page refresh or tab close. Storing tokens in localStorage or sessionStorage exposes them to XSS attacks as malicious scripts can read these values if they gain access. Cookies accessible via JavaScript are also vulnerable to similar threats. Only HTTP-only cookies or memory storage are recommended for sensitive tokens.
If a JWT is self-contained and the server does not maintain session state, what is a reliable method to revoke a user's authentication upon logout?
Explanation: A token blacklist or revocation list allows the server to track invalidated tokens until their natural expiration, which is important since JWTs are otherwise stateless and cannot be invalidated until expiry. Deleting the token on the client prevents usage from that client but does not affect the token if stolen. Updating user information or only shortening expiration after logout does not retroactively affect existing tokens. Therefore, server-side revocation is necessary for effective logout.
After a user logs out from a JWT-based app and their access token is deleted from localStorage, what is the primary risk if the token was previously stolen by an attacker?
Explanation: A stolen JWT continues to grant access until it expires, unless the server implements a revocation mechanism. Deleting the token from the user's device does not impact the attacker who already possesses it. Servers typically do not invalidate all tokens immediately and deleting the token does not affect future token generation. Only proper revocation prevents misuse of stolen tokens.
In a scenario where both access and refresh tokens exist, what should happen to the refresh token when a user explicitly logs out?
Explanation: For secure logout, both access and refresh tokens must be invalidated or deleted, preventing continued or future unauthorized access. Keeping the refresh token valid or stored (such as in sessionStorage) allows the attacker or even the legitimate user to re-authenticate without providing credentials. Deleting only the access token leaves the session vulnerable to refresh attacks. Ignoring the refresh token is not secure.
Which approach helps minimize the risk window for an attacker using a stolen JWT after logout?
Explanation: Short-lived tokens limit the amount of time a stolen JWT can be misused, narrowing the attack window. Long-lived tokens increase risk, as do storing tokens in URLs, which can expose them in logs or referrer headers. Unlimited token reuse is inherently insecure. Thus, short expiration provides better security against token misuse after logout.