I've used a motley of methods including: sessions, jwt, and auth headers. At my job we use sessions for our internal PHP website as there is really no cons for our use case and it integrates with both our legacy system and our move to the symfony framework.
When you say sessions, do you mean session cookies? In terms of JWT, are you using that for stateless session management? What goes into the JWT body (if you can tell me)?
Thanks for your response!
Yes I do mean session cookies. They are easy to use in PHP and the default way to authenticate with Symfony (symfony.com/doc/master/components/...). Then yes I am using JWT for stateless auth, granted I do not technically have the need for stateless auth. I believe I stored a user JSON object in the JWT which means I didn't need to query the database again as long as the JWT was valid. For the specific implementation I used the Adonis node framework: adonisjs.com/docs/4.1/authenticati... / github.com/adonisjs/adonis-auth/tr...
This has got me thinking I need to dig into JWT token more.
I'll have to look at how Adonis's library is implemented.
I would shy away from putting the whole user record into the JWT cookie in the future! I'll actually expand on that exact use case in a follow-up, but for now this is a nice article: cryto.net/~joepie91/blog/2016/06/1....
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.