“Don’t move to that London” warned my northern grandfather once. “It’s full of spivs”.
The Oxford Dictionary (somewhat chauvinistically) defines a spiv as:
A man, typically a flashy dresser, who makes a living by disreputable dealings
“But I work in IT” I told him. “engineers aren’t like that”.
TLDR: JWTs should not be used for keeping your user logged in. They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.
If you've got a bit of time to watch a presentation on it, I highly recommend this talk: https://www.youtube.com/watch?v=pYeekwv3vC4 (Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources. Also note that "valid" usecases for JWTs at the end of the video can also be easily handled by other, better, and more secure tools. Specifically, PASETO.)
A related topic: Don't use localStorage (or sessionStorage) for authentication credentials, including JWT tokens: https://www.rdegges.com/2018/please-stop-using-local-storage/
The reason to avoid JWTs comes down to a couple different points:
AddOn:
chrome/userChrome.css in your profile directory:
“Don’t move to that London” warned my northern grandfather once. “It’s full of spivs”.
The Oxford Dictionary (somewhat chauvinistically) defines a spiv as:
A man, typically a flashy dresser, who makes a living by disreputable dealings
“But I work in IT” I told him. “engineers aren’t like that”.
| defmodule Acme.Repo do | |
| use Ecto.Repo, | |
| otp_app: :acme, | |
| adapter: Ecto.Adapters.Postgres | |
| def with_prefix(prefix) do | |
| module_atom = Module.concat([Acme, Repo, WithPrefix, Macro.camelize(prefix)]) | |
| # We could not find a better way to see if this module already existed | |
| if !Kernel.function_exported?(module_atom, :prefix, 0) do |
