Implementing a "remember me" mechanism using access token and refresh token in a web server
Software Engineering Asked by Two Horses on January 14, 2021
I’m implementing a "remember me" feature in my web app using access tokens and refresh tokens to authenticate users (Node.js). I have a few question about this approach:
- Why is a long-lived refresh token needed? Why can’t I just sign an access token that will be long-lived (1 year or 6 months)?
- What happens when a user logs out? The access and refresh tokens are still valid (Is there a solution to this without storing them in a blacklist collection in the DB or Redis? Because it is not very scalable if I use micro-services or load balancer with multiple servers)
- Is a JWT approach better than a session based one (cookies for instance)?
Add your own answers!