DEV Community


Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

leob profile image

The advice that I've always heard is: DON'T implement security yourself! It's far too easy for the average (web) dev "to do it wrong". So, use a good library instead, e.g. Passport.js in the Node.js world to mention a well-known one.

Now, choosing between session tokens or JWT's might not count as "implement your own security", but it gets close. Arguably the average mainstream web dev does not have enough knowledge/insight to make this decision.

So, again, use a library or framework (probably you should use the most popular / most well-supported), and go with what they support, or what they advise (for a given use case).

(note: I am not saying that it isn't a good idea to learn and understand about concepts like session tokens, JWT, XSS, CSRF and so on - it's a great idea to study this stuff and to have a general understanding of it ... but don't reinvent the wheel and implement your own auth or security)

Forem Open with the Forem app