- JWT
- guarantees data ownership but not encryption (serialized, not encrypted)
- https://blog.logrocket.com/jwt-authentication-best-practices/
- Why not to use JWT and instead use session
- JWT is just blobs of JSON that have been cryptographically signed; claims are the JSON data inside the JWT
- JWTs are larger (in bytes), require CPU to compute cryptographic signatures, and you are going to hit the database anyway (for manipulating user data/account)
- instead of storing a user ID inside of a JWT, then storing a JWT inside a cookie, store the user ID directly inside of the cookie and cache your sssion in a backend like memcached or redis
- https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens
- fetch credentials: 'include'
- CORS prevents Cross-Site Request Forgery (CSRF): an attack that forces an end user to execute unwanted actions on a web app
- setting credentials: 'include' means to send user credentials (cookies, http auth, etc) even for cross-origin calls (by default it is only shared across the same origin)
- https://javascript.plainenglish.io/understanding-the-basics-to-fetch-credentials-863b25968ed5
- more about fetch:
- preflight request: a small request that is sent by the browser before the actual request. it contains information like which HTTP method is used, and any custom HTTP headers. Do not send credentials in here.
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (0)