You are mostly correct, some additional insight from someone who works with security/privacy stuff:
That is different in the EU I grant you
Even in the EU, when a user requests to delete their data, you’re allowed to keep enough to validate they were a previous rule-breaker so they can’t just delete their data and re-register
The session staying open is bad security though.
There isn’t enough context to say for sure, but in general this is standard practice. JWTs, probably the most widely adopted standard for authorization on the web, have an expiry date and cannot be revoked. Yes it’s not great security, but I want to emphasize this is standard practice. Google, Apple, Meta, Slack, etc all do this.
Also, when you request data deletion, the companies have up to a month to do it. I’m not sure if OP expected it to be instant, but it doesn’t have to be
Thanks for your insights in gdpr. Jwts though I know can be invalidated, but it’s a few extra steps, and I’m not surprised when companies don’t go the extra mile. It’s usually such a niche case where someone logs in, has a jwt, and the server needs to invalidate it, but it happens.
General practice for JWTs is to keep a list of “revoked but not yet expired” tokens, and check against that. That list will generally be tiny, since each item only stays on the list for as long as the normal lifetime of a token is, so it’s not really burdensome to maintain and replicate.
You are mostly correct, some additional insight from someone who works with security/privacy stuff:
Even in the EU, when a user requests to delete their data, you’re allowed to keep enough to validate they were a previous rule-breaker so they can’t just delete their data and re-register
There isn’t enough context to say for sure, but in general this is standard practice. JWTs, probably the most widely adopted standard for authorization on the web, have an expiry date and cannot be revoked. Yes it’s not great security, but I want to emphasize this is standard practice. Google, Apple, Meta, Slack, etc all do this.
Also, when you request data deletion, the companies have up to a month to do it. I’m not sure if OP expected it to be instant, but it doesn’t have to be
Thanks for your insights in gdpr. Jwts though I know can be invalidated, but it’s a few extra steps, and I’m not surprised when companies don’t go the extra mile. It’s usually such a niche case where someone logs in, has a jwt, and the server needs to invalidate it, but it happens.
I thought Google is using macaroons, an extension(?) of jwts, which can be revoked
General practice for JWTs is to keep a list of “revoked but not yet expired” tokens, and check against that. That list will generally be tiny, since each item only stays on the list for as long as the normal lifetime of a token is, so it’s not really burdensome to maintain and replicate.