Node.js
Authentication Process 🛑🛑🛑 #52380
-
|
Hello! I am currently developing a web application using Node.js and React. However, I am facing some issues and have doubts regarding the authentication process. After a successful sign-up/sign-in, I am sending a token to the user which will expire in an hour. Additionally, I am storing a server cookie with a timestamp of 15 days on the client-side using the following code: I am also storing the received token, which expires in an hour, on the client-side cookie with a timestamp of 1 hour. If the user continues to use the app after the token and the client-side cookie both expire, I am using the server-side cookie, which has a timestamp of 15 days, to regenerate a new token without requiring the user to sign in/sign up again. I would like to know if this approach is good and if this process is secure. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
I believe you are using Short-lived Access Tokens on client side and Long-lived Server Cookie on server side. Ensure that the cookie has the HttpOnly, Secure, and possibly the SameSite attributes set to enhance security. You can store the referesh tokens in your DB and revalidate/invalidate them accordingly before expiry |
Beta Was this translation helpful? Give feedback.
I believe you are using Short-lived Access Tokens on client side and Long-lived Server Cookie on server side. Ensure that the cookie has the HttpOnly, Secure, and possibly the SameSite attributes set to enhance security.
Also I would recommend you to Implement refresh tokens to handle the renewal of access tokens securely instead of server side tokens, If an attacker gains access to this cookie, they could potentially generate new tokens and access the user's account until the cookie expires.
You can store the referesh tokens in your DB and revalidate/invalidate them accordingly before expiry