I'm implementing a "remember me" feature in my web app using access tokens and refresh tokens to authenticate users (Node.js). I have a few question about this approach: Why is a long-lived refresh token needed? Why can't I just sign an access token that will be long-lived (1 year or 6 months)? What happens when a user logs out? The access and refresh tokens are still valid (Is there a solution to this without storing them in a blacklist collection in the DB or Redis? Because it is not very scalable if I use micro-services or load balancer with multiple servers) Is a JWT approach better than a session based one (cookies for instance)?

Implementing a "remember me" mechanism using access token and refresh token in a web server

Software Engineering Asked by Two Horses on January 14, 2021

I’m implementing a "remember me" feature in my web app using access tokens and refresh tokens to authenticate users (Node.js). I have a few question about this approach:

Why is a long-lived refresh token needed? Why can’t I just sign an access token that will be long-lived (1 year or 6 months)?
What happens when a user logs out? The access and refresh tokens are still valid (Is there a solution to this without storing them in a blacklist collection in the DB or Redis? Because it is not very scalable if I use micro-services or load balancer with multiple servers)
Is a JWT approach better than a session based one (cookies for instance)?

jwt node.js security

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Joshua Engel on Why fry rice before boiling?
Jon Church on Why fry rice before boiling?
haakon.io on Why fry rice before boiling?
Peter Machado on Why fry rice before boiling?
Lex on Does Google Analytics track 404 page responses as valid page views?