How are nextauth sessions secure?
Answered
Jumbo flying squid posted this in #help-forum
Jumbo flying squidOP
Hey all! Trying to understand on a low level how nextauth sessions are secure on the client. I'm not super familiar with auth practices. Specifically, I'm using nextauth with an adapter and not a JWT. So my question is: How does next auth authentication work with the session object and how does it remain secure?
6 Replies
@Jumbo flying squid Hey all! Trying to understand on a low level how nextauth sessions are secure on the client. I'm not super familiar with auth practices. Specifically, I'm using nextauth with an adapter and not a JWT. So my question is: How does next auth authentication work with the session object and how does it remain secure?
So you using real sessions and not just jwt. It works like that: the user sign in and the server returns a session token. This token points to a database table entry that contains all data about this session. So first: only the session token is saved on the client.
"But then I can just change it to another one and my session is either broken or I get a session from someone else" you may ask.
No, you can't change it. That's because they are encrypted. In short terms: a server said his secret and only with the secret it can be changed. So if you know the server secret, you can change your session (that's what the server does) and the client doesn't know the secret, so it can't change it
"But then I can just change it to another one and my session is either broken or I get a session from someone else" you may ask.
No, you can't change it. That's because they are encrypted. In short terms: a server said his secret and only with the secret it can be changed. So if you know the server secret, you can change your session (that's what the server does) and the client doesn't know the secret, so it can't change it
Jumbo flying squidOP
ahh got it i think that was the missing key. was the encryption on the session token
and essentially someone could try mess with the session data , but it would get rejected as it either doesnt match the data in the BE or the session token is just wrong
Answer