I'm implementing a "remember me" feature in my web app using access tokens and refresh tokens to authenticate users (Node.js). I have a few question about this approach: Why is a long-lived refresh token needed? Why can't I just sign an access token that will be long-lived (1 year or 6 months)? What happens when a user logs out? The access and refresh tokens are still valid (Is there a solution to this without storing them in a blacklist collection in the DB or Redis? Because it is not very scalable if I use micro-services or load balancer with multiple servers) Is a JWT approach better than a session based one (cookies for instance)?

Implementing a "remember me" mechanism using access token and refresh token in a web server

Software Engineering Asked by Two Horses on January 14, 2021

I’m implementing a "remember me" feature in my web app using access tokens and refresh tokens to authenticate users (Node.js). I have a few question about this approach:

Why is a long-lived refresh token needed? Why can’t I just sign an access token that will be long-lived (1 year or 6 months)?
What happens when a user logs out? The access and refresh tokens are still valid (Is there a solution to this without storing them in a blacklist collection in the DB or Redis? Because it is not very scalable if I use micro-services or load balancer with multiple servers)
Is a JWT approach better than a session based one (cookies for instance)?

jwt node.js security

Add your own answers!

Ask a Question

Get help from others!