DEV Community

loading...

Discussion on: Implementing Passwordless Authentication in Node.JS

Collapse
bigbott profile image
bigbott

Dangerous.
The attacker steals the mailbox and gets access to all applications/websites.

I think the best way is a custom stateless JWT that contains encrypted userID and timestamp and included in the request as both Cookie and a part of the request body (JSON). The server then compares JWT from Cookie and JSON and if they match -- keeps the user logged in and retrieves needed info from DB with userID.

Forem Open with the Forem app