SuperTokens manages user sessions in the most secure way possible by minimising the chances of session attacks (such as XSS, Session fixation, compromised JWT signing key, CSRF etc) and enabling robust ways of detecting session theft (we use rotating refresh tokens – as recommended by IETF in RFC 6819). We’ve made it highly customisable and incredibly easy to integrate – saving your developer’s time in the process.
What is user session management?
Services (eg: Facebook, Netflix, slack etc) store authentication tokens (identifying information) on the user’s device which enables the user to access the service without the need to login repeatedly. Session management is the system through which these tokens are created, stored, changed and destroyed.
Whats the problem?
A stolen token can provide significant access to a user’s account and these tokens are far more susceptible to theft than passwords (they have a much higher frequency of transit and are stored on the frontend). Session management is incredibly important and several notable hacks have occurred as a result of token theft (Docker Hub ~200k accounts compromised, Facebook 50-90M accounts compromised). Many companies implement a very basic session management flow due to the pressure of product timelines with security becoming a low order priority.