-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should I use JWT or PHP sessions? Is developping API separated from frontend the right fit for me? #12
Comments
Indeed, a JWT should not be used as a replacement for sessions (cookies). There are some tricks to invalidate a JWT, but it still doesn't feel right to me. For a typical web-application with login/logout functionality a cookie based session handling is still the best option (IMHO). It's definitely better and recommend separating the "Frontend API" from all other API's like the API for the native App or PWA. Except the frontend endpoints, I would put all "external" API endpoints into a Auth: You have to differentiate here.
I'ts really important to distinguish all the different parts of your application. Luckily you can organize and handle all this different endpoints with routing groups and the middleware. |
Thank you a lot for this insight. Did I understand you correctly?
Everything is way clearer now and enough for my use case right now but I'm still missing a little something if one day I'll work with native apps. |
|
If I make sessions with the backend doesn't that mean that the important REST-principle stateless cannot be respected and thus it makes the API non-RESTful?
I totally agree for RESTful APIs it's a nono but if point 1 is true, if it isn't RESTful, if it is only a backend that receives ajax calls (I called it API without preceding REST maybe it's not the right term), and it has to execute actions like notify technical contact or send bill via email, how would you name those actions in a non RPC way? Whenever possible of course restful naming but aren't there exceptions?
|
Yes, the "Frontend API" is not a real RESTful API because it's not stateless when you use session cookies. REST(ful) is not a religion and should not be approached as such. While there are advantages to RESTful, you should only follow the tenets of REST as far as they make sense for your application. When you name your routes like methods then it's more a RPC'ish API. Just because it's not stateless doesn't imply that you have to name your HTTP routes like method names. I try to be consistent with all route names. I would try to avoid mixing RPC'ish names with RESTful names. |
Thank you for your help! |
When I was thinking about how I was going to develop apps a some months ago I explained that I want a core part which is able to communicate with different clients (Browser, Native app, web service etc.) I got the advice to make the application as API with separated frontends.
Soon I adopted JWT and was confronted with the fact that there is no proper way to invalidate a token, that token were only valid for a given time and not depending on the user activity.
Additionally, each request has to contain all the infos since the API is (ideally) stateless.
Although this is great for some cases I am starting to think that it's not the right fit for what I want to do. I am reading that JWT should not be used for sessions (Why JWTs Suck as Session Tokens) and its kind of exactly what I was using them for.
What I want is to create an extensive example project that will be used as a base for larger applications which will basically have the standard functions (user registration, user login, user clicks around and does stuff, website uses the user’s information to create, update, and delete information).
Maybe native apps will be created on Android and IOS but most probably it will only be a PWA.
Is a REST API as Backend separated from the frontend the right approach in this case ? Or should I head towards doing backend and frontend in the same project folder and manage sessions with PHP ?
I like to build the whole content dynamically with AJAX requests so it made sense for me to call an external API (because it could be used by other frontends as well) but I have this above mentioned session issue now. I would basically have a backend that I treat like a non-stateless API which can be used only by this specific frontend.
I'm very interested in your opinion on all this Daniel.
The text was updated successfully, but these errors were encountered: