Joined February 2013

Arnold Daniels

Full-stack webdeveloper at Jasny
Full-stack webdeveloper

With an authentication scheme like this, you're not able to invalidate a token once it hat granted. If an intruder obtained a password and logged in, he can use the JWT forever. Setting a TTL in combination with asking the existing password to change the password while somewhat solve the most dire cases, but it's still a rather weak in comparison with invalidating sessions server side.

.serialize doesn't work for sending files. You need to use the FormData object.

Note that FormData isn't available for older browsers. There are some jQuery plugins that send the files using an iframe, but these aren't compatible with the file input plugin.

I'm not familiar with the inner workings of YII. You need to find out (or ask) how the model is updated from $_FILES and $_POST.

508 Karma
35,774 Total ProTip Views