.. because you probably have two use cases:
- as a user I want to invalidate a specific session, without signing out all my devices
- as the system I want to be able to invalidate a session immediately
You can use a list to define which token is active, or a list where you store tokens you wont allow. In both cases you have to save the token and look it up in your database anyway. That said, you can use a plain old random strings to look up valid sessions (and eventually the user) in the DB.