A user logs out of a web app that uses short-lived JWTs (15-minute expiry) with no server-side revocation list. What is the security implication?
- 1No risk — the user is logged out and the token is deleted from localStorage
- 2The JWT remains valid on the server side until it expires; a stolen token can still be used✓ correct
- 3The signature becomes invalid after logout
- 4JWTs are encrypted so a stolen token cannot be read
JWTs are stateless — the server validates them purely by checking the cryptographic signature and expiry claim (
exp). 'Logout' on the client side (deleting the token from memory/storage) only removes it from that browser. The token itself remains valid until itsexptime. If a token is stolen (e.g. via XSS or network interception) before logout, the attacker can continue using it for up to 15 minutes. To truly revoke a JWT you need server-side state: maintain a blocklist (e.g. a Redis set of revokedjticlaims with TTL = token expiry) and check every request against it, which adds a database lookup and partly sacrifices the statelessness advantage. This is why server-side sessions (opaque session IDs + server-stored state) remain preferable for apps requiring instant revocation (banking, healthcare).
The JWT remains valid for up to 15 minutes after logout — revocation requires server state.