loading...

Discussion on: Please Stop Using Local Storage

lietux profile image
Janne "Lietu" Enberg

cookies are inherently stateful because they require session data to be present on the server

Not exactly true. Many cookies use signatures or encryption to make the data trustworthy for the server, so there does not need to be the somewhat traditional "sessions" list in a database.

Thread Thread
bhaibel profile image
Betsy Haibel

Cool, I didn't know that! How does credential revocation work in that context? Or do you just maintain a really short validity window?

Thread Thread
lietux profile image
Janne "Lietu" Enberg

Well, it doesn't necessarily work. One way is to keep short validity, another is to tie it to e.g. the last update of the relevant user's password, or similar - you wouldn't have to check the contents of the package, just that it's been signed after the password has last changed.

There are lots of little options you could use, but it's not always necessary.

Thread Thread
bdruth profile image
Brice Ruth

I think lietu has just described JWT in a cookie ...