You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been playing around with NextAuth and use it in a oAuth setup.
Now that I have a basic overview of the package, I'm curious but also intrigued as to why you decided to use a JWT token, fill it with data, encrypt it (JWE), and store it as the value of the HttpOnly, next-auth.session-token cookie.
Meanwhile, when using getSession, NextAuth makes a request to www.example.com/api/auth/session, which returns the value of the HttpOnly cookie.
A. Unless I misunderstood something after digging through the source code, NextAuth doesn't actually use session when session.strategy is set to jwt? Why then use the term "session" (confusion) at all?
B. How is this then different, and more secure, than to using normal JWT? The client may now not read the content of the JWT any more, HttpOnly may prevent now basic XSS attacks, but what about the rest? As soon as someone has gained access to the JWE, it's over.
According to the documentation, CSRF tokens are only used during Sign In/Out.
I appreciate anyone's time who could help me understand NextAuth better, even if it's only by helping with one of the above points. :)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I've been playing around with NextAuth and use it in a oAuth setup.
Now that I have a basic overview of the package, I'm curious but also intrigued as to why you decided to use a JWT token, fill it with data, encrypt it (JWE), and store it as the value of the
HttpOnly,next-auth.session-tokencookie.Meanwhile, when using
getSession, NextAuth makes a request towww.example.com/api/auth/session, which returns the value of theHttpOnlycookie.A. Unless I misunderstood something after digging through the source code, NextAuth doesn't actually use session when
session.strategyis set tojwt? Why then use the term "session" (confusion) at all?B. How is this then different, and more secure, than to using normal JWT? The client may now not read the content of the JWT any more,
HttpOnlymay prevent now basic XSS attacks, but what about the rest? As soon as someone has gained access to the JWE, it's over.According to the documentation, CSRF tokens are only used during Sign In/Out.
I appreciate anyone's time who could help me understand NextAuth better, even if it's only by helping with one of the above points. :)
Beta Was this translation helpful? Give feedback.
All reactions