Hello @victorolinasc Thank you for replying and providing links to better understand. I loved the video presented in User management with absinthe for api by @wolfiton which had a discussion why JWT isn’t safe and how vernible it is in comparison to a session token. That is something I never knew since most of my friends who have been in tech longer than I have (just landed my first job a few months ago) all recommend adding JWT to your application.
Although I would like some clarity. The Stack I’m implementing for this project currently is BE - PostgresQL, Phoenix/Elixir and Absinthe/GraphQL as for the FE - React/Apollo.
After reading the link regarding cookies and how it’s being send from the FE to the backend as a header I’m now becoming confused with the purpose of JWT. I thought its use was to mainly send a userID to the frontend and save their information in order to persist that a user . is logged in. We then use that ID to find the user and check if it matches to lets say their email when logging in.
The way I saw it was not save any information into a JWT except for the user ID that we can use to look them up when logging in. After logging in we should just save the ID? or do people normally save the entire User? and if yes why is this the case when it’s a risk of leak occurring?
Also am wondering if cookies are safer as most including OWASP have stated, would it be recommended to use backend to check the cookie is valid before sending information back? if we wanted to persist some information should we for example in regards to cookies
1 - hit backend when logging in
2 - save user to cookies
3 - send logged in user information (mainly use the ID) and save to a state management like Redux as current_user: 1
4 - This will be our false catch to use when trying to validate a user interaction to the frontend?
Reason I mentioned redux is because I don’t have much experience with Apollo/Client yet.
Again thank you for clarity and also providing your experience/feedback on this matter.
