Hi.
I'm building an app that could be used by both registered users and visitors. What those users could do, is to upload some files. The difference is that guests' files will be stored temporarily. So I'm trying to design a way to handle user sessions.
As you can see in the image I posted below, for the registered users after login JWT will be stored on the browser's local storage and when user's next request is to list his/her files there will be a variable inside the JWT to tell the server where to look for the user's files (which path).
Now for the guests, I thought that I should do something similar but without the login step. For example, when a guest enters to the site, javascript will check if there is a non-expired token on local storage. If that's true, then a random JWT that will point to a temp directory will be created from the server and will be stored onto the browser. But I don't know if this approach is reasonable or if there is any other better approach to do it.
Here is the sketch on how I imagine it.
https://sketch.io/render/sk-0e12e9fcabf7f97a14449ec02679ad73.jpeg
What do you think? Any ideas or suggestions will be helpful. Thanks.
Top comments (2)
Probably someone more experienced will explain in more details, but basically, when I read JWT and API I think about stateless application, namely, there is no user session stored on the server. This is one of the basic features of JWT, it stores everything that the server must know to identify the user and handle the request.
I think your reasoning is fine, but it is not user session you are trying to use, you are using JWT to carry the information to and from as I said. It is something like this, right?
Guest enters -> Server receives the request, generate a random token and send it to the user -> guest uses this token from now on to send data and the server will know where it will save it temporarily.
The same for logged use, but the folder is not temporary and there is info about the user on the token in this case.
Obs: No token is stored on the server, never, only on the client side.
Yeap. you got it right.