loading...

Which is the best practice for node user authentication and session handling?

shindesharad71 profile image SHARAD SHINDE ・1 min read

Hi! I am Sharad,

I am MEAN stack developer having 1 year of experience. I want to learn more about MEAN stack and improve my coding skill and knowledge about best practices.

So, I am building this Instagram clone using MEAN stack where I am using typescript for writing APIs in the node.

So my question is to experts regarding user authentication and session handling, which will be best practice to handle user auth and user session?

I read about passportjs is it right for user auth or any other you will suggest? also, I read about JWT tokens and express session, which will be best to use regarding security concern.

experts, please guide me on this.

Thanks.

Discussion

pic
Editor guide
Collapse
artemis profile image
Diane

My best advice would be to rely on native sessions, which are the most supported and compatible mechanism.

Collapse
shindesharad71 profile image
SHARAD SHINDE Author

Thanks for the answer. I find hard to use native session. I think they will less secure as compared to the new packages.

Collapse
artemis profile image
Diane

The thing is, native sessions are hard to render unsecure, especially when rightfully configured.

JWT is recognized as unfit for authentication, and much harder to get right (especially with refresh mechanisms and token types).

Collapse
blnkspace profile image
Aviral Kulshreshtha

I personally use JWTs that auto expire and need to be refreshed in small intervals. I save them in localStorage and/or cookies on the front end. I use passport at the back end. Has worked great for me on all different sorts of projects

Collapse
shindesharad71 profile image
SHARAD SHINDE Author

Thank you for the answer, I really appreciate this. I will give it a try.

Collapse
anduser96 profile image
Andrei Gatej

I think it depends.

Each solution has its cons and pros.

As sessions are stored on the server side, if you have multiple users requesting your server, you might run into problems. Of course, there are solutions for this.
By using sessions you can also blacklist users more easily/

On the other hand, using JWT will make things easier for the server as it only has to check the signature of the arriving token.
Blacklisting users when using this approach requires you to make another request to check whether the current user is blacklisted or not.

Also having a look at a caching system such as Redis might be worth your while.

Good luck!