I am building an express server that will be used with an iOS native mobile client.Users of the app will be able to form "parties" with other users, and users within the same party will be able to communicate to each other via socket.io.
I want to enable sessions so that 1) I can have persistent login on my frontend and 2) store user.party_id inside a session, so that for a particular user I always have access to his party. If the user leaves a party, then req.session.party_id will be set to null.
Is is possible to use express-session with a native mobile client? I would assume so, and that all the client has to do is set a cookie header on each request. The server then reads the cookie id, and has access to the user session. Are there any drawbacks to using a session with native mobile clients?
Are there any drawbacks to this approach? Someone suggested that instead I set a JWT as an Authorization header, and on each request, use that header to lookup the user and party_id. This approach seems to be a reinvention of a session.
Check out Swift: How to remember cookies for further http requests for info on how to save a cookie/session cookie.
As to JWT vs. session cookies, they do serve similar purposes. JWT is more widely used today as it enables you to have multiple servers that handle API requests (i.e. horizontal scaling or serverless architectures) and are more fault tolerant (i.e. still work even if the server restarts). Depending on your needs, it might be worth looking at JWTs.