Home > Software engineering >  How to persist user login for long period of time in NodeJs?
How to persist user login for long period of time in NodeJs?

Time:03-03

I have built an application with the MERN stack (Mongo, Express, React & NodeJs). Now I am doing research on building an authentication system. There are literally tons and tons of tutorials and video's where a system is built on which the user is authenticated for a maximum of let's say 24 hours and then has to re-login. They all use either jwt or session with something like express-session. However, I am using certain websites where I am basically never logged out.

I would really like to create a system myself where the user is authenticated for atleast 14 to 30 days without being prompted to re-login (ideally even longer). I cannot find good resources online on how to persist user login for long periods of time. I am aware that there are massive security trade-offs involved in creating such a system. I am also aware that I can just set the expiry time of a jwt or the maxAge of a session cookie to something like 14-30 days, but that seems like a really bad idea. However, I would really like to learn & read more about these authentication methods with persistent login over long periods of time.

Could someone provide some good resources / insights on this particular subject? What are some things that I should take into account?

CodePudding user response:

Generally, because security is difficult to implement correctly, it's recommended to use a third-party OAuth provider or at least a well-tested library for local authentication and authorization.

If you want to build your own system, you can implement a system with two tokens. An authorization token and a refresh token. Set the expiry on the auth token to something short like an hour and the refresh token for as long as you'd like.

Pass the auth token on all requests and validate it on the back end. When the auth token expires, the server sends back an invalid token message and the client should then request a new auth token passing the refresh token. The server validates the refresh token and issues a new auth and refresh token to the client. This process repeats until the refresh token expires.

If both tokens expire, then the user must re-authenticate. When a user logs out, you need to expire / delete the auth and refresh tokens on both the client and server.

This system minimizes the exposure of a captured auth token while enabling the client access over longer periods of time.

This is only a rough, and simplified version of how such a system could work. You'll have to come up with some way to validate tokens and keep track of which tokens belong to which users.

CodePudding user response:

For long period time sessions using stateless jwt may not be best idea.

As critical requirement would be session invalidations, token theft detection, which jwt by itself cannot provide. You need some surrounding smart components for the whole setup.

Stateless JWT tokens cannot be invalidated or updated, and will introduce either size issues or security issues depending on where you store them. Stateful JWT tokens are functionally the same as session cookies, but without the battle-tested and well-reviewed implementations or client support.

Unless you work on a Reddit-scale application, there's no reason to be using JWT tokens as a session mechanism. Just use sessions.

http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

Page link:https//www.codepudding.com/Softwareengineering/321119.html

Prev:Sorting in Javascript based on 2 parameters
Next:Using type traits in C template functions, is it possible to convert a value to a T of the same ty
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding