Introduction
As the digital world continues to expand, ensuring the security of web applications and protecting user data has become mor...
For further actions, you may consider blocking this person and/or reporting abuse
If you're using JWTs, please please please be aware that you cannot revoke existing tokens. This is a major issue if users can change passwords or privileges. In general, sessions will likely be a better choice and most (if not all) major sites use sessions.
Also, using
Bearer
tokens as stated here:isn't possible if you're storing it with http-only cookies.
Using 2 types of tokens won't make your application more secure if you're storing both of them inside cookies. An attacker will likely have access to the refresh token if they can steal the access token.
Every auth strategy will be susceptible to CSRF and/or XSS since you're storing something onto to browser. Setting
same-site
tostrict
means your users won't be logged in if they access your website via a link. This isn't an issue for websites for say banks, but will likely make UX worse for most sites. Check theOrigin
header for CSRF protection or use traditional CSRF tokens instead.Yes, this is true. However, refresh tokens are supposed to be used with short-lived authorization tokens and (importantly) invalidated when reused. This limits the attack potential to at worst two authorization tokens' lifetimes - the originally-hijacked one, and the one fetched with the refresh token, until the real user tries to redeem the refresh token (at which they must be required to re-authenticate, and none of the refresh tokens issued up to this point must be valid anymore).
Obviously this all matters very little if the attack vector is persistent, and authorization tokens should indeed be used as Bearer tokens rather than cookies, but refresh tokens do serve a security purpose.
Totally agree with you. That is why I have clearly stated those things in the article itself here: dev.to/nosherwan/effective-securit...
Thanks for sharing this.
Will look more into it and update the article accordingly.
These are some good points. thanks for sharing them.
You gotta admit that every one of these approaches has a downside.
There's one authentication type you missed: WebAuthn.
In my experience, SAML is a nightmare. When it works, it's a solid SSO solution for the end-user. When it doesn't work, it can take several hours of staring at the configuration on the enterprise side to spot the one thing that was overlooked. In an enterprise setting, there's at least one major SAML related problem every day for some random user. There's no particularly good enterprise alternative to SAML though as it is baked into ADFS, which makes it the de facto standard.
Thanks for sharing this 🙏
I've edited the article to include WebAtuhn.
Also take in mind that this article is just an introduction to the most popular types of auth standerds.
Hi, such a fine sharing I will follow this for my gastric bypass surgery website. Surely, this will help in growing my site as well.
Great article and easy to understand! Would be cool to see WebAuthn as another standard here as well :)
Thank you 🙏
I tried to include the ones that are used the most.
Will definitely add more in the future
hello I'm a front-end engineer.
I really like your article and would like to translate it, is it possible?
go ahead by all means.
Just share a link to it when you are done.
Hi, I'm glad you found the information helpful! Implementing the strategies mentioned in this article can indeed contribute to the growth of your hair transplant surgery website. By providing informative and engaging content, you can attract and educate your audience, establishing your site as a reliable resource in the field. Additionally, focusing on search engine optimization and utilizing social media platforms can help increase your site's visibility and reach. Best of luck with your website and the success of your hair transplantation services!