I have a schema where
users can have a
session/token. My application is a web-app, so when the app recieves a request with a
<appname>_session cookie, it looks up the user which has the provided
session/token and considers the user logged in if a user is found.
Now, tokens aren’t valid forever. So what I do is to lookup the transaction that added this token, and check if the token was created/asserted within a reasonable time (a week).
The interesting thing here is that I don’t really need to retrat tokens to avoid logging in users with invalid tokens, as I always check the transaction time. But I’m wondering if there are advantages to periodically retracting invalid tokens anyway?
As an example, say I have a user that has logged in one thousand times (and so has one thousand session tokens), would there be any benefit to retract all the invalid tokens when I always check the validity of the token by its creation time?