SPA+API access tokens still valid even after a logout

Help
1

So a question:
Let’s assume you implement Single-Page Applications (SPA) with API.

  • Since this is an SPA we are storing the access token in local storage
  • So a user who digs around can locate these access tokens and store it
  • Then the user logs out.
  • However they can still make any call to backend APIs until the token expires

Isn’t this a fundamental problem? from a high level the user has logged out yet he/she is able to make API calls.

Thank you

3 Likes
2

As it has been more than a few months since this topic was opened, and there has been no reply or further information provided as to the existence of the issue, we are closing this topic. Please don’t hesitate to create a new topic if this issue is still present, we would be happy to work with you to help find a resolution.