Auth Solution
Researching token vs session based auth has been a pain. In my "design" i have two services, an api and a websocket and theres a possibility i will have a third, i need auth on all of these. Session auth seems to be the most basic, it also seems like it would be a pain to deal with as, afaik, you cant share cookies between domains. and everything ive read says you shouldnt store sessions in local storage. im very unsure of token based auth, i can find a lot of articles on it, but not really any that explain it in a way i properly understand. These services will be used in a a spa and mobile app. i would like to be able to logout clients from the server and clients to be able to remotely logout their other devices. could someone give me a good explanation/comparison and help me find the correct solution?
3 Replies
I think the sessions are usually in the db 🤔 from what I've seen
So you can invalidate them all when password is changed or some other trigger
I don't understand how/why NextAuth sessions are stored in db, where can I research this?
You can share cookies between domains, but i recommend modifying your API to use the authorization header, simply put the token in the authorization header when making a request, and in your API route code instead of reading the session from the cookie read it from the authorization header.
And to invalidate the sessions as @Sybatron said you just store all the sessions in the DB, And invalidate them based on a condition or manually.
For example when the password gets changed you'll have to invalidate all the login sessions associated with that account.