difference between session token and access token?
See original GitHub issueGot a document in the sessions
collection for a logged in user in my test MongoDB database
What’s the difference between sessionToken
and accessToken
and why is only accessToken
being returned to session
variable in const [ session, loading ] = useSession()
.
{user: {…}, accessToken: "e25f790f00e553b82592626a2a948a643e90a6f3b7c3b0d7b4574e94437e52cc", expires: "2020-10-18T02:58:39.561Z"}
accessToken: "e25f790f00e553b82592626a2a948a643e90a6f3b7c3b0d7b4574e94437e52cc"
expires: "2020-10-18T02:58:39.561Z"
user: {email: "someemail@gmail.com"}
In what cases would you use the access token vs the session token and is there an example of how you would use these tokens?
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:5 (1 by maintainers)
Top Results From Across the Web
What really is the difference between session and token ...
Session based authentication is one in which the user state is stored on the server's memory. When using a session based auth system,...
Read more >Session vs Token Based Authentication | by Sherry Hsu
Many web applications use JSON Web Token (JWT) instead of sessions for authentication. In the token based application, the server creates JWT with...
Read more >Session vs Token Authentication - Authgear
Tokens and sessions essentially are about where the authorization state is handled, whether on the server-side or the client-side. For example, ...
Read more >The difference between, ID, access, refresh, and ... - YouTube
In the One Dev Question series, Hirsch Singhal a Program Manager ... The difference between, ID, access, refresh, and session tokens ?
Read more >security token vs session id vs access token
2 Answers 2 · Session Id: SessionId is obtaines when use login from web interface or does a soap api call. · AccessToken:...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Great question! This isn’t really covered anywhere in the documentation.
A Session Token is usually used to identify a session in a browser (or other client). Typically Session Tokens are fixed and do not change unless a user signs out, but in some applications they can rotate. For optimal security, they should not be readable by client side JavaScript (i.e. they are server side only cookies).
An Access Token is usually used as a way of providing a way for clients to make requests using a token that uniquely identifies a user / session, sometimes - but not always - with less privileges (e.g. it might be read only, or may perform create and update operations, but not delete operations). Typically Access Tokens do rotate. This is done to limit the risk of exposing a token to client side JavaScript, where it could be hijacked by third party scripts.
For example, Google Access Tokens are only valid for 1 hour and you must make a request using a Refresh Token (which does not rotate, and functions like a Session Token) to request a new Access Token every hour.
NextAuth.js implements Access Tokens in sessions as a way to provide an identifier for client side operations that can be tracked by to a session, without exposing the Session Token itself (so that a Session cannot be hijacked by a third party script).
However, it is currently only a basic implementation in that the Access Token it exposes does not change / expire and it is not used for anything internally - it’s more a placeholder around which you can build on and extend on to add your own functionality, to discourage people from exposing the Session Token client side.
In practice, if you have
/api/
endpoints in a Next.js app you should be able to access the session directly from them (or JWT directly, if you are using JSON Web Tokens to store session data) so you probably don’t need to use the accessToken.An example of how you might want to use it, is to pass it to another service to allow it to make API requests to your service (e.g. as callback) so that it could do so securely on behalf of your user, without exposing information about the user or their session.
I am looking for the accessToken since I need it to request any data from backend. Where it is stored and how to access it from Frontend?