As far as I know, JWT tokens are used for implementing 'stateless server'. But as I try to apply Jwt to my website that uses sessions and cookies for authentication, I found that most people store refresh tokens in their db and compare them to tokens from the clients. If so, isn't that kind of ironic? Because I thought tokens didnt require any server side resources. Now I'm confused why so many people use tokens for authentication instead of Sessions with cookies even though they both require server side storage. Also, how you deal with logging in on multiple devices? If you store a refresh token per user and an user tries to log in on a new device, its previous device will be automatically logged out as soon as its access token expires.
2
-
One post should create a single question. Please put other questions to other posts.– mentallurgCommented May 3, 2022 at 21:45
-
1A login is a state. So "stateless" is really just a sort of buzz-word that doesn't actually mean stateless. Server-side session variables take up server resources so it's generally a good thing to avoid using them. Tokens are usually just used for a session... not for authentication. The user is authenticated and then a session is begun and persisted using the token instead of something tied directly to a password/login. This has the benefit of being about to revoke the token without the user needing to change their password. Each device would have its own session.– browsermatorCommented May 3, 2022 at 21:55
Add a comment
|