I've been using the same authentication method across all my backend projects, but I'm starting to wonder if it's truly secure. My setup involves stateless JWTs stored in cookies that are marked as `Secure`, `HttpOnly`, and `SameSite=Strict`. Here's a quick overview of how it works:
- **Access Token**: 5-minute lifespan, sent with every request.
- **Refresh Token**: 7-day lifespan, sent only to the refresh endpoint.
I don't have a logout function, which means I don't keep any tokens in the database either. I'm interested in hearing your thoughts on how I can improve this setup or if there's anything critical I've missed. Thanks for any insights!
1 Answer
Your setup could use some improvements! For starters, having a server-side session management is important, especially if you want to revoke access post-breach or allow users to log back in after a security fix.
Also, is your backend strictly HTTPS? If not, anyone could intercept your cookies as they’re sent in clear text. Make sure your credentials are securely stored; using a strong cryptographic library is essential, along with salt and maybe even a pepper for added security.
Don't forget to sign and verify your tokens properly; unsigned JWTs can lead to potential permission escalation. Consider implementing XSRF protection and ensure that user errors are not verbose. A solid access control system is crucial to prevent unauthorized access. Lastly, continuously vet the libraries and packages you use and keep up with updates.
Wow, this is incredible. I already see where I can improve on security. Thanks a lot!