hey I'm planning to use this authentication method on my app.
1) browser sends creds
2) server sends an AES encrypted session, which has the username
3) browser stores it in the local storage
4) the session has a creation date so it can be expired after some time
5) the encrypted session sent with each request with the app not the browser
How I see this: (might be wrong)
- CSRF can't use it
- with JWT, CSRF sends the refresh token each time and get the server to respond, while this won't get a response since no session is sent with the request
- also it's stateless, so scales horizontally easily
Is this secure?
How is this compared to JWT?
40 Replies
Why are you reimplementing your own version of JWTs?
Auth is one of the few things you really shouldn't fuck around with much if you don't have really good reason
And using local storage for auth is almost always a code smell
I thought JWT is kinda bloated-ish. I want it to be more simple.
yh ik this is a very sensitive spot to miss around with.
oh, I though when I encrypt it, it't not gonna be an issue.
also jsut thought of adding the date it was crated so it can be expired.
and also it's fun to do tbh
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
but it's not cookie-based
I use Local storage
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
yes, I want to see if it's really secure or better than JWT
I don't study web security but I love implement my version of auth, kinda...
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
how is this compared to JWT?
in terms of security
or other aspects that I might not know
@venego what I'd recommend if you really want to learn the internals of Authentication is to just use next-auth and run your debugger to see what runs under the hood
I've written countless versions of our own custom authentication but it has never been worth the effort.
thank you I'll try that
this made me feel that I'm wasting my time LOL. though It's what I needed to hear I guess
Wouldn't say wasted, every line written is an extra line of experience 😉
please don't
why?
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
well,
1) it's encrypted
2) if I have XSS, that's the last thing I would worry about