I need some advice regarding a PWA project. The backend runs a PHP-based API that I wrote to provide the PWA with data. The API access requires authentication and I would like a user to stay authenticated after a login for a week at max during inactivity.
Currently, I have solved this using JWT. During the validity of the JWT access token, I rely on data stored in the JWT: a user ID and a club ID (indicating membership), to avoid having to check which club the user is an active member of.
Recently, I’ve read a lot of articles on how JWT is bad practice and often misused and that session-based auth is a better solution. I am wondering now if I should move to that, especially having the following requirements in mind:
- the PHP backend needs to run on shared hosting (1&1 IONOS), so no Redis/Memcached (for caching the user authentication state and not having to request the DB on every request) available (I think?)
- a user should not have to authenticate every time using the app, but stay logged in for 7 days during activity, with the auth window automatically extending when using (would a PHP session lifetime of 7 days at all possible on shared hosting / a good idea?)
- I want to avoid validating a user’s access right / club membership upon every API request to reduce database load (therefore the “caching” of user id and club id through JWT previously)
- I need to however validate a user’s access right periodically, e.g. every 1 hour to allow potential user banning (so far, with JWT, I have done this check every time a refresh token is used by checking the DB if the refresh token was invalidated manually – I am fully aware, this makes JWT lose its statelessness)
- the app is expected to be able to handle tens to hundred concurrent users
Are these requirements better handled using session-based authentication? I am specifically interested in the implications regarding security and flexibility/UX.
Thanks in advance for your insights! 🙏