Hey, dev.to crowd.
I'm thinking about writing an article about different user authentication / session management methods and I'd like to take a survey.
How do you authenticate your users? How do you manage user sessions?
Do you use a cookie? With what flags? Do you use the Authentication header? Do you use JWT, Macaroons, some other crazy thing? No judgement in this post if you use session identifiers in local storage - although I'll be coming for you in the follow-up article. Please let me know in the comments!
Top comments (10)
I've used a motley of methods including: sessions, jwt, and auth headers. At my job we use sessions for our internal PHP website as there is really no cons for our use case and it integrates with both our legacy system and our move to the symfony framework.
When you say sessions, do you mean session cookies? In terms of JWT, are you using that for stateless session management? What goes into the JWT body (if you can tell me)?
Thanks for your response!
Yes I do mean session cookies. They are easy to use in PHP and the default way to authenticate with Symfony (symfony.com/doc/master/components/...). Then yes I am using JWT for stateless auth, granted I do not technically have the need for stateless auth. I believe I stored a user JSON object in the JWT which means I didn't need to query the database again as long as the JWT was valid. For the specific implementation I used the Adonis node framework: adonisjs.com/docs/4.1/authenticati... / github.com/adonisjs/adonis-auth/tr...
This has got me thinking I need to dig into JWT token more.
I'll have to look at how Adonis's library is implemented.
I would shy away from putting the whole user record into the JWT cookie in the future! I'll actually expand on that exact use case in a follow-up, but for now this is a nice article: cryto.net/~joepie91/blog/2016/06/1....
I have used JWT with the Auth0 SaaS as backend on several apps for many years. Auth and user management is a headache I don't need. Never use their SDKs/widgets. Just directly call the HTTP API endpoints from web/node/cli apps.
The downsides of using such a general purpose platform:
Auth0 is great. It is hard to stay simple when using a SaaS for something as complicated as user management.
Hey @eugene1832 , stumbled upon this post today while researching on a similar idea. Can you please share the link of the blog if you have written it, to see for myself if I can pick up anything from it.
Thanks for reminding me, this is next on my list to write
Username and password or oauth.
Sessions are identified with a secure http only session cookie
Love it! Can start considering the samesite attribute as more browsers add support for it.