13
votes
Accepted
cookie vs. session vs jwt
Cookies: in their early version, a text file with a unique client Id
an all the other information needed about the client (e. g. roles)
Cookies are tuples key-value originally addressed to retain ...
- 15k
8
votes
cookie vs. session vs jwt
Cookies: in their early version, a text file with a unique client Id an all the other information needed about the client (e. g. roles)
Your definition of cookie doesn't really describe what they do. ...
- 9,247
6
votes
Accepted
How can I store an user's capabilities to boost performance while allowing real-time updates of said capabilities?
You're not missing anything.
To get the most up to date state, you need to query it (and even that will be delayed by the latency of your request). Caching it, or waiting for some event/message ...
- 110k
5
votes
Security Issues with RESTful Authentication & Session Management
This answer may help you in terms of replay attacks at the network level. The use of a "nonce" can also help protect against the same semantic request being made multiple times by the same client.
In ...
- 151
4
votes
Is it good practice to save an entire ViewModel in Session (C# ASP.NET MVC)
Putting all of your view model data in the session essentially creates global variables. If you have two different view models setting the same session key one will overwrite the other — and you ...
- 46.2k
4
votes
Accepted
User identity and microservices
The usual approach is for the authentication service to issue the user a signed token. Other services can verify the signature to check that the token is genuine. The token then contains the user ID. ...
- 136k
3
votes
Accepted
How to keep state alive between deployments
The trick is to not keep any session state within the stuff you redeploy. Instead:
keep state in a separate database that persists beyond a deployment, or
keep state purely client-side.
Where a web ...
- 136k
3
votes
Accepted
How to combine session-based authentication and stateless REST API
So "standard, traditional, session-based" auth is a cookie on the client with a guid and an in memory database on the server which hold the data for that user
"stateless, token-based authentication" ...
- 84.4k
3
votes
Accepted
Should I store session id in server database?
First, model the situation correctly.
We have a one-to-many relationship between user and sessionid.
An attribute of a session is its expiration timestamp.
So we will want a three-column table with
FK
...
- 7,901
2
votes
Accepted
How to handle authentication & authorization inside microservices
We have had a similar problem couple of years ago and we have seen two different approaches. They were different in a way where the role = permission set were stored.
Centralized authorization:
Each ...
- 549
1
vote
Accepted
Session Handover via OpenID Connect between a Mobile Application and a Website?
Correct, a token can be used to hand the user's state from the app to the browser, somewhat independently from your authentication system. Specifically:
The app should store the relevant state on the ...
- 136k
1
vote
Accepted
When dealing with session level data in a web app, is it better to maintain a static store of that data, or pass it around as needed?
Do you ever need to call GetUsersByRole with varying connection strings? If not, then the parameterization offers no value, and you might as well omit the parameter.
If you use the static function ...
- 34.8k
1
vote
How can I store an user's capabilities to boost performance while allowing real-time updates of said capabilities?
If your database supports rolling back changes, you could check at the beginning that the user is permitted to make the request, allow the request to go through, and then check again that they are ...
- 293
1
vote
How to combine session-based authentication and stateless REST API
This article walks through various ways to use OAuth2. It might help you work through this.
Based on the article and the relevant RFC, you would not pass the access token to the user agent (e.g. ...
- 30.9k
1
vote
Improve website speed with better user session management
If you already are using Redis or Memcahed for caching something in your app, you can use it. If you have a large number of workers, having a common cache would improve the hit rate when looking up ...
- 24.4k
1
vote
Accepted
Storing session state in browser's local storage
Almost everything is a balancing act between performance, usability, maintainability. That said...
What's the difference between storing session state on the client versus the server?
Where ...
- 5,072
1
vote
Check if user is logged in when using JWT
The following comes with a (big) grain of salt, because my knowledge of JWT is only theoretical, but I am trying to give a helpful answer:
You have a login process in which the credentials are ...
- 9,623
1
vote
Check if user is logged in when using JWT
There are several cases:
If your application doesn't have a logout button, then you might not have a well-defined concept of what it means to be logged in. In which case I'd seek clarification on ...
- 1,379
1
vote
How can I redirect to an ASP.NET MVC page with extended session?
You could just increase the session timeout to 8 hours for all pages. Then you could just do your own "soft-expire" when someone accesses a page after 21 minutes where session should have been expired....
- 5,178
1
vote
Accepted
How can I redirect to an ASP.NET MVC page with extended session?
I deal with a similar issue in an app (super long log-in state), and resolved it by storing a GUID in a cookie on the client (via HttpOnly cookie) that is tied to a single login event record on the ...
- 4,461
Only top scored, non community-wiki answers of a minimum length are eligible