Hi fellow readers!β I hope youβre doing great. In this article, we will learn about session and token-based authentication methods used in backend ...
For further actions, you may consider blocking this person and/or reporting abuse
Honestly in the era of OAuth2, SSO, password-less.... JWT's are the way to go, but session id still have a lot of uses.
Also, in the beginning of projects, I try to abstract those concerns as they are never a core business decision in the beginning, so I just use a framework ( like NextAuth ) and only deal with authorization ( not authentication )
That's a great point. Authorization frameworks do make the job easy for us. Thanks for sharing your insights!
How does one log out? That's a major difference between them. Put differently, how does one revoke a token? If you have to check the token against a database of revoked tokens, how's that different from a session?
BTW, we're talking about self-sufficient tokens here, but other kinds of token exist that are just the same as session IDs, just sent differently (cookie vs "something else")
We can log out in token-based authentication by deleting the token stored in the browser (local/session/cookie storage). It is done in the frontend whereas if a session needs to be destroyed the command is executed in the server code.
Forgetting something or just stopping using it yourself has zero security value. So technically you cannot logout with a self-sufficient token, you cannot revoke it, unless you start making it stateful.
TL;DR: don't use such tokens, at least not that way.
(fwiw, I've written about this recently; unfortunately I'm on mobile right now so can't easily find the links; you'll find them in my DEV profile)
The article is amazing!
I'll put it out here for others to check it out as well. @tbroyer has pointed out some great points about the compromises we make while developing authorization.
Check it out: dev.to/tbroyer/beyond-the-login-pa...
Thanks for the kind words π€
The other article I wanted to point out was dev.to/tbroyer/what-are-jwt-nm0 about what JWT are best used for (spoiler: not any kind of "session"). And please don't take my word for it, go read the articles referenced at the end!
Use cookies If you want to store authentication data on the client side.. You still need to append the token to every request you make, that's not different from a cookie..
If the server can't revoke a token at anytime it wants then it's bad. A minute is enough for an attacker if they acquire your JWT token...
One of the disadvantages of token-based authentication.
The backend language for my project is TypeScript.
Very well explained! Thanks for your time on this!
Glad that you liked it! π
Redis put out this free e-book about why JWTs are not safe for sessions. Worth a read, esp if you care about the logout problem: redis.io/resources/json-web-tokens...
I really love the simplicity of your explanation. It really helps.
Thank you! Means a lot! π
Very useful...
Thank you!!
Exceptionally good explanation. On the point.
Thank you!! Glad that you liked it! π
Recently I developed a project based on token authentication. To keep the state I store the token in db and match for every subsequent request after authentication of the first request. Is this good approach or what could be the draw backs?
not bad β
not badβ
Thank you!