thomastospace, I need some #PHP feedback on a test implementation of jwt token auth:
JWT tokens are valid forever, however we would like to invalidate all tokens when a user changes their password.
We've solved this by saving a random value at the user, and storing this in the token. Whenever the token is used, we check if this is the same. When a password gets changed, we also change this value, which then makes all old tokens invalid because they don't contain this value.
How does this sound to you?