0

Preamble / TL;DR

I've got a dumb API using the PassportJS JWT strategy that I'd like to add sessions to for the purpose of having user isolation in certain areas, a requirement for some enhancements.

The entire system is comprised of a MySQL DB, NodeJS + ExpressJS (with PassportJS) backend and an Angular 2 frontend.

Further Information

I've had an issue with implementing sessions in my application, and experienced the same issues as seen in this Github Issue.

My frontend doesn't seem to handle the session id stored in the session cookie with the key 'connect.sid', even though a user can be correctly authenticated initially and get their JWT. The session cookie does however get used when bypassing the frontend and using POSTMAN to send the requests.

The primary symptoms of the issue I'm experiencing are:

  • The session cookie is not created when using the Angular2 frontend. Sending the requests using POSTMAN seem to have the cookies created.
  • The req.isAuthenticated() call is always false as a result (unless using POSTMAN)

I've now deduced it must be an issue with communication/handling of requests/responses between the front/backend.

I've spent the last couple days running through other issues like:

  • Ordering/checking use statements: here, here
  • Adding the respective headers to responses on the front and backend: here

And a couple others. I do however draw the following questions from this:

Question(s)

  1. Is it even correct implementing sessions with a JWT strategy, knowing the two should be exclusive from one another?
  2. If not, what would you recommend be done in this scenario?
Community
  • 1
  • 1
jarodsmk
  • 1,876
  • 2
  • 21
  • 40
  • 1
    No, you shouldn't use JWT for sessions. Should probably avoid JWT altogether. http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ – pvg Mar 20 '17 at 11:51
  • @pvg I too came across that link, and with the additional information of this being a SPA, is it still a bad idea? Thoughts? Also, why in this case in particular are you against it's usage? – jarodsmk Mar 20 '17 at 11:53
  • Yes it's a bad idea. Unfortunately, this sort of question is offtopic for SO, take a look at the site intro docs that cover this. – pvg Mar 20 '17 at 11:54
  • @pvg Ok I'll hand that to you, I can definitely do my own research on that. What would your suggestion be here instead then? Move to a different auth strategy entirely? – jarodsmk Mar 20 '17 at 11:57
  • 1
    Simplest is, if you don't need bearer tokens (which most people don't), stick with cookie-based (or header or value of your choice, in an anal API context) sessions. If you do need tokens, avoid JWT anyway. Here's a more recent write-up https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid – pvg Mar 20 '17 at 12:02
  • Thanks for the information & feedback you provided @pvg, really appreciate it. I'm going to leave the question open for a bit to see if i get any other feedback, but will probably end up writing an answer based on our discussion – jarodsmk Mar 20 '17 at 12:07

0 Answers0