The latest articles on DEV Community by eronaeon (@eronaeon). https://dev.to/eronaeon https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F30912%2F38a24414-ead4-48e9-8861-dc6701425420.png https://dev.to/eronaeon en eronaeon Wed, 02 May 2018 11:16:00 +0000 https://dev.to/eronaeon/whats-the-recommended-method-for-designing-secure-and-performant-web-sessions-in-2018-2l26 https://dev.to/eronaeon/whats-the-recommended-method-for-designing-secure-and-performant-web-sessions-in-2018-2l26 <p>Hi all! designing sessions is very essential for all modern webapps, however there is very little discussion about it. Let's assume that a webapp uses HTTPS by default (i.e. no worries about eavesdropping or modifying cookies).</p> <p>Let's say I just want to design a session that stores only user id, what's the best method to design sessions? from what I know:</p> <h2> Web based sessions: </h2> <p>clearly the main disadvantage is I have to go to the database every http request and check the session ID. Sure I can use Redis to cache session ids, but also I have to implement a write through logic if I happen to update the session content so that Redis and the DB are synchronized</p> <h3> Django's approach </h3> <p>just generate a random session id (long enough let's say more than 20 ascii chars) and store it in a cookie.</p> <h3> Express session's approach </h3> <p>same as Django but also adds HMAC to the session id cookie (isn't this redundant for a HTTPS connection?)</p> <h2> Client based sessions: </h2> <h3> JWT </h3> <p>lots of hate and critic about it even though it sounds pretty secure and more performant, and I am not sure how many respectable websites that actually implement it</p> <p>What do you recommend? what's the current recommended method for designing session logic for a website (hopefully that could be extended to a mobile app) in 2018?</p> discuss