How do you authenticate your users?

twitter logo ・1 min read

Hey, dev.to crowd.

I'm thinking about writing an article about different user authentication / session management methods and I'd like to take a survey.

How do you authenticate your users? How do you manage user sessions?

Do you use a cookie? With what flags? Do you use the Authentication header? Do you use JWT, Macaroons, some other crazy thing? No judgement in this post if you use session identifiers in local storage - although I'll be coming for you in the follow-up article. Please let me know in the comments!

twitter logo DISCUSS (10)
markdown guide
 

I've used a motley of methods including: sessions, jwt, and auth headers. At my job we use sessions for our internal PHP website as there is really no cons for our use case and it integrates with both our legacy system and our move to the symfony framework.

 

When you say sessions, do you mean session cookies? In terms of JWT, are you using that for stateless session management? What goes into the JWT body (if you can tell me)?

Thanks for your response!

 

Yes I do mean session cookies. They are easy to use in PHP and the default way to authenticate with Symfony (symfony.com/doc/master/components/...). Then yes I am using JWT for stateless auth, granted I do not technically have the need for stateless auth. I believe I stored a user JSON object in the JWT which means I didn't need to query the database again as long as the JWT was valid. For the specific implementation I used the Adonis node framework: adonisjs.com/docs/4.1/authenticati... / github.com/adonisjs/adonis-auth/tr...

This has got me thinking I need to dig into JWT token more.

I'll have to look at how Adonis's library is implemented.

I would shy away from putting the whole user record into the JWT cookie in the future! I'll actually expand on that exact use case in a follow-up, but for now this is a nice article: cryto.net/~joepie91/blog/2016/06/1....

 

Hey @eugene1832 , stumbled upon this post today while researching on a similar idea. Can you please share the link of the blog if you have written it, to see for myself if I can pick up anything from it.

 

Thanks for reminding me, this is next on my list to write

 

I have used JWT with the Auth0 SaaS as backend on several apps for many years. Auth and user management is a headache I don't need. Never use their SDKs/widgets. Just directly call the HTTP API endpoints from web/node/cli apps.

The downsides of using such a general purpose platform:

  • Everyone imagines user accounts slightly differently. The result is overly complex/abstract APIs.
  • It is also a PITA when some Auth0 API is deprecated even though it worked fine for your app. Code rot is no fun.
  • There is a theoretical concern about long term vendor lock-in. Though so far no problems as they allow export (on any paid plan, IIRC).
 

Auth0 is great. It is hard to stay simple when using a SaaS for something as complicated as user management.

 

Username and password or oauth.

Sessions are identified with a secure http only session cookie

 

Love it! Can start considering the samesite attribute as more browsers add support for it.

Classic DEV Post from Apr 12

Introducing The Recursive `Pipe` and `Compose` Types

It turns out, the recursive Pipe (and Compose) types offer key advantages over ...

Ari Kalfus profile image
Penetration tester and security engineer. @artis3n