@yabirgb No, sessions. Should I?

@ekaitz_zarraga @yabirgb Couple of resources explaining why JWT are not the best idea for sessions: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ and https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen The latter contains some advertising of the company writing the post, but it's not bad.

@ekaitz_zarraga I personally don't like jwt but for some situations they are good. Also they appeared in a blog post that you shared before. Storing the role and sending it is not safe and shouldn't be trusted (as far as I know)

@yabirgb That's why I want to store the whole thing on the session of the app. That's not sent to the client (is it?) so I can handle cool things there (in-memory) and check them when a new query arrives.

The app is not a SPA so I can't control the tokens sent. That's why I avoided them.

@ekaitz_zarraga @yabirgb I tend to user either memory session or something like Redis in such cases. These are never sent to the client being inherently safer than cookie based sessions in my view.

Swapping in different implementations is very easy since it's a protocol, so I'd start with a memory session as the default.

I think storing the role in the session is fine as well, here's an example of role based auth in one of my apps https://github.com/yogthos/memory-hole/blob/master/src/clj/memory_hole/routes/services/auth.clj

@yogthos @yabirgb Yeah, and how to do that without Redis? By default ring sessions are handled in-memory too, right?
So... using buddy and simply storing the role in the session is enough...?
can I put {:user id :role role} in the identity directly?

@ekaitz_zarraga @yabirgb yeah memory store should be the default, and yeah just adding something like {:uderid id :role role} to the sesssion is pretty standard.

@yogthos @yabirgb Fucking perfect mate!
Thank you!!! : )