保護DataHogo
Security Encyclopedia/Auth & Sessions (Advanced)
mediumCWE-613A07:2021

Token Not Invalidated on Logout

JWT or session tokens remain valid after a user logs out because there is no server-side revocation mechanism, allowing stolen tokens to be used indefinitely.

How It Works

Stateless JWTs have no built-in revocation. Logging out on the client (deleting the token from memory or localStorage) is meaningless if the server will still accept that token. An attacker who captured the token before logout can continue using it until it expires — which could be hours, days, or never.

Vulnerable Code
// BAD: logout just clears client-side storage
export async function POST() {
  // Just tells the client to delete the token
  // But the token itself is still valid server-side
  return Response.json({ message: 'Logged out' });
}
Secure Code
// GOOD: maintain a token denylist in Redis
import { redis } from '@/lib/redis';
export async function POST(req: Request) {
  const token = req.headers.get('authorization')?.split(' ')[1];
  if (token) {
    const decoded = jwt.decode(token) as { exp: number };
    const ttl = decoded.exp - Math.floor(Date.now() / 1000);
    if (ttl > 0) await redis.setex(`denylist:${token}`, ttl, '1');
  }
  return Response.json({ message: 'Logged out' });
}

Real-World Example

Any app that stores JWT tokens (mobile apps, browser extensions, third-party integrations) is vulnerable. If a user logs out on their phone after suspecting compromise, the attacker's copy of the token is still valid. Supabase handles this automatically — rolling your own JWT auth is where this bites you.

How to Prevent It

  • Maintain a token denylist in Redis with TTL equal to the token's remaining lifetime
  • Use short-lived tokens (15 minutes) to minimize the window between logout and token expiry
  • For session-based auth, invalidate the server-side session record on logout
  • Consider using Supabase Auth or Auth.js which handle session invalidation correctly

Affected Technologies

nodejsNext.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Session Fixation

high

The server reuses the same session ID before and after login, allowing an attacker who planted a known session ID to hijack the authenticated session.

CWE-384A07:2021

No Account Lockout / Brute Force Protection

medium

Login endpoints with no rate limiting or lockout mechanism, allowing attackers to try unlimited username and password combinations until they find valid credentials.

CWE-307A07:2021

Weak Password Policy

medium

No minimum length, complexity, or common-password requirements on registration or password change, making user accounts easily brute-forced or guessed.

CWE-521A07:2021

OAuth State Parameter Missing

high

OAuth authorization flow implemented without a random `state` parameter, allowing CSRF attacks that link a victim's account to the attacker's OAuth identity.

CWE-352A07:2021