Introduction Modern web applications (so called single page applications) often utilize JSON Web tokens (JWTs) for session handling instead of cookies. However, in many cases, the logout mechanism is not effectively implemented. The most critical issue arises when an XSS vulnerability is discovered.
Why should we even logout from a web application?
For security reasons, it is advisable for users to log out from a web application once they have completed their tasks.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

Using JSON Web tokens (JWTs) for user sessions without an effectively implemented logout mechanism can lead to security vulnerabilities. An XSS vulnerability can allow an attacker to access and exploit the JWT, gaining unauthorized access to the application.

Stop using JSON Web tokens for user sessions

Title should have been
<blockquote>
Stop using JSON Web tokens for user sessions without a logout mechanism
</blockquote>
Nothing wrong with using JWTs, but you should implement a logout/ invalidation mechanism. A simple and easy one is to store a session key in the jwt and in redis (or similar), so when you validate the JWT and, you also just validate that this is a valid session.
Then you can also add a button in the users settings that lets them log out of, and see, all their sessions

Its an issue which i used to exploit on many apps. So token expiry should be realistic like 3 minutes or less so attacker cannot download data in that time. Create flawless experience for user to regenerate tokens.

I might be wrong but this is solvable with short live time + refresh token + reuse token detection, AFAIK auth0 does it.

<blockquote>
Just store their token in black list in Redis when users logout.
</blockquote>

using Passport for authentication purpose would be a better fit.