๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐๐ฒ๐๐๐ผ๐ป๐ ๐ ๐๐ฒ๐ฎ๐ฟ๐ป๐ฒ๐ฑ ๐๐ต๐ฒ ๐๐ฎ๐ฟ๐ฑ ๐ช๐ฎ๐
I started my career with freedom. I tried PHP and Java. I lacked a mentor. I built a login system. It failed.
I used session variables first. This fails during scaling. Requests go to different servers. Users lose their sessions.
I used MD5 for passwords. MD5 is hashing. It is not encryption. Attackers use lists to find passwords. I also used HTTP. Data was sent in plain text.
I made a custom token system. It hit the database every request. It was slow. It did not scale.
Do not reinvent security. Use proven tools.
Use BCrypt for passwords. It uses a salt and a cost factor. This stops fast attacks. Add a pepper for more safety.
Use JWT for tokens. It is a signed token. Services verify the sign. They do not need the database. This is fast.
Use two tokens:
- Access Token: Short life. Low risk if stolen.
- Refresh Token: Long life. Use this to get new access tokens.
Security tips:
- Do not use local storage. Scripts steal tokens.
- Use secure cookies.
Security is not about being clever. Use proven solutions. Ask yourself:
- Did someone solve this?
- What is the best way now?
- Why build it myself?
Source: https://dev.to/jmnovelovargas/learnings-about-authentication-and-authorization-hjb