A 7 minute guide to SESSIONS and COOKIES for authentication in Angular 

Definitely in the pipeline because I need to improve my SSR skills, I'm sure I'll be reading your articles in more detail (also I've been lurking on your convos with Brandon 👀)

This is essentially what I would do (keep track of state locally): after a successful auth set the state in an auth service to authenticated, if at any point a request fails due to being unauthorised set the auth state to unauthenticated (which would have the side effect of booting them to the login screen). It's also going to depend on the exact implementation though, for example you might have a session expire after some length of time but allow it to be refreshed without actually requiring the user to manually log back in every time it expires

I think the idea here is to give viewers an Authentication 101, this topic being wide and complex. Let's wait future videos for more advanced concepts 😉.

@@julienwickramatunga7338 yes I'd never write my own session management code on the backend in real life (which is why I have all the warnings in the video), but I think it does help to understand the fundamental/basic behind the scenes concepts

I use the same Nx style feature/data-access/ui/utils approach for everything big or small (except typically with larger projects I'm actually using Nx)

If you specifically mean something like a JWT the concepts are very similar - user authenticates, gets sent a token, they send that token with future requests. The key difference with a JWT is that the token itself defines who the user is/what they are authorised to do (e.g. what role they have). It's even fine for a JWT to be completely viewable/editable on the client side - all the server has to do is verify that the JWT hasn't been tampered with, and then it can trust all of the information within the JWT (if any of the fields were edited, it would invalidate the signature of the JWT)

@@JoshuaMorony JWT can easily be tampered - one should continually be generating a key refresh with deep certificate chaining to make this right. We do this at the bank I work for and its locked tight, but its expensive in terms of taxonomy of the browser, memory utilization etc… in terms of your video - you should have showed the users how to use UUID, to generate the unique session id, or argon 2. you make very good explainer videos - I watch and read continually no matter how novice things may appear to learn and grow as an SE.

​@@chrisburd9751 when you say that a JWT can be easily tampered with, do you mean that even if the secret key remains secret, and the signature of the JWT is properly verified on the server, there is a way this process can be easily duped?

@@JoshuaMorony no I mean the key can be intercepted and manipulated or decoded then reencoded - token forgery and token relay are common and unfortunate unless one implements security properly, it’s not a safer alternative - in many ways deep certificate chaining should be mandatory but it’s not because no one is really serious about securing our data.

​@@JoshuaMorony there are many ways that it can be easily duped - from multiple attack vectors. One should always use rolling keys -(certificate chaining) - (deep certificate chaining) involves storage on the mobile device/browser and requires installation to the end point. CSRF, weak storage, JWT brute force on an intercepted token, decoding of the JWT token. Choosing the wrong algorithm, or poorly written authentication allows this. I listen to content all day long everyday in the background - including yours, it just plays and I listen - you do a very good job on your explainer videos; I could never do what you do. All I'm saying there's a widespread misprision that JWT is super secure - on its face value, it's not. If one is serious about launching an application - one should really hire a consultant and not roll it your own. At the bank I work for - we pen test apps from other LOB's the average application presented is hacked within 30 seconds - the first vector of attack for us is always JWT, the easiest entrance point. One we have a tunnel in we'll attack the interior infrastructure.