98 likes
·
10.0K reads
7 comments
Hi, I'm a newbee to web dev. I am not sure how website keeps user login. The method I can implement is storing user's username & plain password in the localStorage, then whenever the user opens my website, I use javascript to send their user name & password to login in them automtiaclly. I heard user's plain password should not be stored anywhere, so this is a bad idea, however, I have not figured out how the token/session id works, i.e., how to create the token, how to verify it, where to store it, how to revoke it, how to prevert user from modifying it etc. I want to learn how to implement these before trying others' existing frameworks.
generateAccessToken returns a different token for the same payload each time, right? and It is done by converting { expiresIn: '1800s' } to the actual timestamp or purely hash function "magic"?
Can external javascript read localStroage and cookie? e.g., I store user's plain password in localStroage and I includes a external foo (say jquery) library, can the code in the foo library read the password?
Hi Chunyang, thanks for the question.
In terms of storing JWT tokens, yes you are right. Don't ever store it in localStorage. The secure way to store in on the server-side memory so only your code can access it and not any external JavaScript.
Another way is to use HTTPS secured cookies or httpOnly cookies. More details here. More about cookies in general here. Hope that helps!
What a great article, I am currently working on a project that needs authentication... I find this useful.
Thanks a lot! :)
Thank you, but Never store passwords in JWTs, this is bad practice and better removed from the article.
It will be as vulnerable as basic authentication in that case.
Thanks for the feedback Ader Chox. Apologies if the article was unclear but yes, we do not store passwords in JWTs. I'll update the article so it will be more coherent.