April 8, 2019

So many ways of doing user session management for mobile/web app... Can anyone help?

Hi. I'm new here.. and I want to start off with a quick problem i'v been having and also wonder how many other people have this problem and how they go about solving it.

There are TONS of ways to do session management.. should I use one long lived session, should I use refresh tokens? If yes, then should the refresh tokens change? If we do not change them, then isn't that sort of a security problem..? Happy to chat about this :)


  1. 2

    Shoot me an email through my profile if you'd like to chat about this. Happy to help.

  2. 2

    I would suggest that you check the available auth libs for your tooling (ex: passport for nodejs, devise for rails, etc) or even use one agnostic of the language you use like Auth0. It's easy to mess up with custom auth systems and your time is way too precious for that when it could be focused on solving new problems that haven't been solved before! Hope that helps.

  3. 1

    Generally I think the best way to handle this is to use something like JSON Web Tokens (JWT) if you have an API/mobile/separate codebases.

    If you're making a web app and using a framework you could do session based authentication. I'm using pretty standard out of the box authentication from the Laravel PHP framework for the Employbl project.

    Session authentication can be nice since you don't have to manage as much user authentication state in your frontend codebase.

    If I were you I'd start with whatever you find to be easiest and get it live. Don't be hung up too much on authentication because it can be a rabbit hole! Good luck