DEV Community

Ari Kalfus
Ari Kalfus

Posted on

How do you authenticate your users?

Hey, dev.to crowd.

I'm thinking about writing an article about different user authentication / session management methods and I'd like to take a survey.

How do you authenticate your users? How do you manage user sessions?

Do you use a cookie? With what flags? Do you use the Authentication header? Do you use JWT, Macaroons, some other crazy thing? No judgement in this post if you use session identifiers in local storage - although I'll be coming for you in the follow-up article. Please let me know in the comments!

Top comments (10)

Collapse
 
buphmin profile image
buphmin

I've used a motley of methods including: sessions, jwt, and auth headers. At my job we use sessions for our internal PHP website as there is really no cons for our use case and it integrates with both our legacy system and our move to the symfony framework.

Collapse
 
artis3n profile image
Ari Kalfus

When you say sessions, do you mean session cookies? In terms of JWT, are you using that for stateless session management? What goes into the JWT body (if you can tell me)?

Thanks for your response!

Collapse
 
buphmin profile image
buphmin

Yes I do mean session cookies. They are easy to use in PHP and the default way to authenticate with Symfony (symfony.com/doc/master/components/...). Then yes I am using JWT for stateless auth, granted I do not technically have the need for stateless auth. I believe I stored a user JSON object in the JWT which means I didn't need to query the database again as long as the JWT was valid. For the specific implementation I used the Adonis node framework: adonisjs.com/docs/4.1/authenticati... / github.com/adonisjs/adonis-auth/tr...

This has got me thinking I need to dig into JWT token more.

Thread Thread
 
artis3n profile image
Ari Kalfus • Edited

I'll have to look at how Adonis's library is implemented.

I would shy away from putting the whole user record into the JWT cookie in the future! I'll actually expand on that exact use case in a follow-up, but for now this is a nice article: cryto.net/~joepie91/blog/2016/06/1....

Collapse
 
sebdeckers profile image
Sebastiaan Deckers

I have used JWT with the Auth0 SaaS as backend on several apps for many years. Auth and user management is a headache I don't need. Never use their SDKs/widgets. Just directly call the HTTP API endpoints from web/node/cli apps.

The downsides of using such a general purpose platform:

  • Everyone imagines user accounts slightly differently. The result is overly complex/abstract APIs.
  • It is also a PITA when some Auth0 API is deprecated even though it worked fine for your app. Code rot is no fun.
  • There is a theoretical concern about long term vendor lock-in. Though so far no problems as they allow export (on any paid plan, IIRC).
Collapse
 
artis3n profile image
Ari Kalfus

Auth0 is great. It is hard to stay simple when using a SaaS for something as complicated as user management.

Collapse
 
the_doctor profile image
Vaibhav • Edited

Hey @eugene1832 , stumbled upon this post today while researching on a similar idea. Can you please share the link of the blog if you have written it, to see for myself if I can pick up anything from it.

Collapse
 
artis3n profile image
Ari Kalfus

Thanks for reminding me, this is next on my list to write

Collapse
 
rhymes profile image
rhymes

Username and password or oauth.

Sessions are identified with a secure http only session cookie

Collapse
 
artis3n profile image
Ari Kalfus

Love it! Can start considering the samesite attribute as more browsers add support for it.