Switch to session !

[devlamine]

Hi @trangj great job. I'm trying to understand the benefits (or differences) between using session vs token-based ? a session is stored on the server, the server is in charge of looking up the session ID that the user sends. This can cause scalability problems ? Your prompt reply will be greatly appreciated.

[devlamine]

@trangj other question, this change still works with crappit mobile and multiple domains?

[devgamesgalo]

I think the storage in redis solves the performance problem to be confirmed by @trangj

[trangj]

@devlamine I used jwts as access tokens and refresh tokens previously, but I just wanted to try out session based auth. As mentioned, you can set a store for express sessions and make it use redis - which can improve performance a lot and avoid scalability problems.

From what I've learned trying both auth methods, both are fairly secure. To really make use of JWTa, you will have to set up access tokens and refresh tokens, which was a pretty big headache to be honest. Sessions - at least in node - are decent, but express lacks some functionality of revoking all sessions based on a user id. Definitely try both to see what you like more.

And to answer your second question, the change does work on crappit mobile - albeit I had to do a unorthodox fix to make it work. I had to save the cookie from the log in request into AsyncStorage and then serve it with every request.

[devlamine]

@trangj so in your experience you prefer sessions. but I see that refresh tokens is much better than using a long session in terms of security. On my side I prefer tokens because they are used a lot for rest api 😀 it's very rare to see an apiRest that works with sessions, that's why I asked the question. I would also like to add the refresh token should only be launched if the token is expired