Last active
April 25, 2018 23:16
-
-
Save donabrams/dcc31174e0553a610622a5c734a647a0 to your computer and use it in GitHub Desktop.
General JWT approach that usually isn't terrible checklist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ☐ Put JWT in a cookie | |
| ☐ HTTPOnly cookie | |
| ☐ Secure cookie | |
| ☐ Domain w/ a subdomain (never root) | |
| ☐ No authorization in the JWT body (look it up serverside ya lazy asses) | |
| ☐ Userid in cookie should NOT exist anywhere but auth service | |
| ☐ Short window ( < 15 min) for JWT authentication token | |
| ☐ Ability to deauthorize a refresh token chain serverside (but long life on a refresh token is OK) | |
| ☐ Ability to monitor requests by refresh token chain |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bonus points for autogenerating the user ID when creating the JWT!