Great article! Thanks. However, express-session focuses on a rather simple session flow. One can implement much better security by using short-lived access tokens and one-time use, long-lived refresh tokens as it's explained here: supertokens.io/blog/all-you-need-t....
In a nutshell, this method allows you to change the secret key instantly (as opposed to gradually fading out a key as shown in the article) and also enables detection of token theft (which express-session also doesn't provide).
As far as better security is concerned, it boils down to use cases and constraints(Time & Technical).
This article was written explicitly with express-session in my mind. It's a flexible library with which I can roll out my solutions depending on the use case.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Great article! Thanks. However, express-session focuses on a rather simple session flow. One can implement much better security by using short-lived access tokens and one-time use, long-lived refresh tokens as it's explained here: supertokens.io/blog/all-you-need-t....
In a nutshell, this method allows you to change the secret key instantly (as opposed to gradually fading out a key as shown in the article) and also enables detection of token theft (which express-session also doesn't provide).
Thank you for your comments!
As far as
better security
is concerned, it boils down to use cases and constraints(Time & Technical).This article was written explicitly with
express-session
in my mind. It's a flexible library with which I can roll out my solutions depending on the use case.