Replies: 2 comments 3 replies
-
I would strongly advise not to use JWTs this way.
Existence of a session does not confer the authenticated semantic (nor should it for proper security). This is the purpose of the auth hash, which must be verified on each request. Only when the auth hash is present and verified is the request considered authenticated. You must use Separately the fact the session is being set might not be intended but regardless it's crucial to understand the above semantic. Edit: Using the |
Beta Was this translation helpful? Give feedback.
-
I used JWT/secure cookie as a term since I didn't know the official name for it, but the article clarifies the term I am looking for is "stateless session". I am not hung on JWT specifically, all I want is storing data in the cookie for login without hitting the database when not necessary for low risk/non-sensitive parts of the site I also figured out why a session was being written into the database even though the password was wrong, it was due to "axum_messages" |
Beta Was this translation helpful? Give feedback.
-
How do I go about properly preventing a session from writing into the database? From what I see when I do an authorization, it writes the session into the database even if the authorization fails. I don't want that, I only want a session when the login succeeds
Also, is it possible for us to manually manage the session id once generated? I want to store the session id inside a JWT/encrypted cookie
Ideally, what I want is this:
Not logged in user = JWT/encrypted cookie session, nothing goes into the database and no database session id
Logged in user = JWT/encrypted cookie session, session id is written into the database and stored in the JWT but expires in 30 minutes, user can still stay logged in on JWT
Logged in user accessing a secure section of the site like changing their email = require database session id login
Admin/Mod user = JWT but always needs database Session id, database session id lasts long but with non-elevated privileges
Admin/Mod user accessing a secure section of the site = needs to do 2FA to elevate privileges before access which lasts for 30 minutes
My thoughts right now is handle the JWT/encrypted cookie session myself, and call axum-login when I need the database session id. For elevating I am thinking of having admin/mod users have 2 user groups, and based on the session upgrade the group
Thoughts/suggestions?
Beta Was this translation helpful? Give feedback.
All reactions