I am building a basic authentication back-end for a web application and I wonder if it is necessary to set an expiration time for both JWT and the cookie that stores it?
It seems unnecessary to set it separately for both when the result stays the same.
I would prefer to set just the JWT expiration because for some reason I can't access the cookie's expiration time, so I would probably have to refresh it with every request and that seems like a bad idea to me. (I am using Node.js & Express.js with the cookie-parser module.)
Aucun commentaire:
Enregistrer un commentaire