๐๐ฒ๐๐๐ผ๐ป๐ ๐ข๐ป ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐๐ป๐ฑ ๐๐๐๐ต๐ผ๐ฟ๐ถ๐๐ฎ๐๐ถ๐ผ๐ป
I started my engineering career with total freedom. I tried many tools. I lacked a mentor. I built a bad login system.
Here is what I did wrong. Here is how you should do it.
I used session variables. This fails when you add more servers. A load balancer sends you to different servers. Your session stays on one server. You lose access.
I used MD5 for passwords. I used HTTP. This was a mistake.
- MD5 is a hash, not encryption.
- Attackers use lists to find passwords from MD5.
- Use HTTPS to protect data.
I made my own token system. I stored tokens in a database.
- Each request hit the database twice.
- Once for the user.
- Once for roles.
- This slows down your app.
Do not reinvent the wheel. Use proven tools.
Use BCrypt for passwords. It uses a salt and a cost factor. This stops fast attacks. Add a pepper. This is a secret key outside your database.
Use JWT for tokens. It is signed and stateless.
- It removes database hits for every check.
- It is faster.
- Use a short access token.
- Use a long refresh token.
Stop using local storage for tokens. Scripts steal them. Use secure cookies.
Security is not about being clever. Use well-proven solutions.
Ask these questions first:
- Did someone solve this already?
- What is the best way to solve this now?
- Why should I build this myself?
Source: https://dev.to/jmnovelovargas/learnings-about-authentication-and-authorization-hjb