Guardian vs `put_session`

Genuine question: I see Guardian brought up frequently in blog posts/tutorials for user authentication. I’m also under the impression that JWTs should not be used for user sessions, however Guardian seems to be used for user sessions. Why not use put_session and call it good? When is Guardian the right tool to reach for?

1 Like

Guardian is the right tool when you want to have the user session talk to other servers, if you don’t then there is no point in using it unless you like needless added complexity. ^.^;

5 Likes

The default token type for Guardian is JWT. This is not fixed. Guardian can use any token that conforms to the Guardian.Token behaviour.

https://hexdocs.pm/guardian/introduction-overview.html

1 Like

At that point you are having even more overhead (both code and conceptually) for no gain at all. :wink:

Is it? I didn’t try it yet but the Token behavior doesn’t look too complicated, and one could probably use most part of the existing code for JWT.

Or just use a phoenix token, which is a single call to sign/ecnrypt and a single call to extract, with lifetime support as well, and it’s faster.

2 Likes

As somebody who just spent a good few days on attempting to implement cookies etc. with Guardian, I’d like to add that using put_session is much, much easier. The Guardian framework is very powerful, but also complex to implement, test, and maintain. If you want to have simple authentication with cookies/session, use put_session

5 Likes