I know someone is an amazing teacher when I start watching their video and I don't have to go back in time 10 times in every 2 minutes just to somewhat hang onto what they are saying. With your approach I just watched straight from start to finish and understood everything. I'm a really dumb person and it takes me frustratingly long to understand things compared to others. So I know you are a great teacher because watching this I actually felt smart.
I have spent many many weeks reading about authentication, authorization, cookies, sessions, JWT, OAuth, etc. in order to implement my own backend from scratch. Little by little I'm ordering all the knowledge to get a clear idea of how all of this work. One confusing aspect was how and when to use a database or not. This video has helped me understand it better. Thank you!
Thank you so much Brad. I'm currently at a coding bootcamp and I am constantly reaching for your videos first to supplement my learning. You have such a great way of explaining things! Really appreciate all your hard work :)
As a Jr Developer the only thing I can say to you is: Thank you! Nobody has ever been so clear about a very complex topic and explained in such detail the pros and cons of every approach. You just gained a subscriber.
Hi brad, i am a french developper and i have rarely seen a so much good quality of teaching! i directly subscribe to your channel. and i am going to take a look to your training on udemy!
You and Wes Bos are two of my favourite teachers. You both have the ability to teach complex topics. I have bought all your Udemy courses, always like and share your videos - I wish there was more I could do so more people could benefit from this.
I've taken two courses from Wes, he's one of my favorites! He once retweeted me talking about my favorite part of his JavaScript 30 series and it made my day/week 😂. Thank you so much for all the support!
Hi Brad, It was a great video! People are still unaware of important things such as cookies and web tokens, and you sharing insights and information about them will definitely help a lot of viewers. I did know about them, but I still enjoyed watching this video a lot. Thanks a lot for sharing such an amazing video. It was very informative, and I am sure it will add value to many lives. Looking forward to watching more amazing videos from you!
Hi Brad, How session ID(connect.sid) is stored in cookie @20:43 . In the code you never set cookie in the response. and @20:43 _csrf should be in hidden input value but why it is in cookie. I re-watched so many times still couldn't understand. Can you help me please?
Hi, we didn't manually write the code to store connect.sid as a cookie, but the express-session NPM package does that for us. The _csrf cookie is created automatically by the csurf NPM package; it stores that cookie so it can use it to validate the hidden input value.
Hi, that's okay because yes you as the visitor of that legit page can view the inspector / source, but we're just trying to prevent other sites from making requests on our behalf and taking advantage of our cookies being automatically sent without us knowing. In this case, those other sites can't view the DOM of our page. So yes, they can try to send a request on our behalf but it will fail without that hidden field value. Or I guess you could say, that hidden field protects us from CSRF not XSS.
Thanks for a great session Brad!! It was wonderful. Have a query , Is it possible to use JWT stored in local storage for a multi page application? I understand that If we use session cookies, on every Page Load / Page redirection cookies will automatically be sent in the browser GET request. How can we handle such scenarios if JWT is stored in local storage?
There's something wrong here when u are trying simulate the CSRF attack, I don't see Cookie being sent to Server from another TAB when i reproduced it, even when i opened the other tab Application Storage , i dont Cookie being shared across the browser TABS. and i don't see cookie being sent and it works perfectly with FAILED message. So at #13:10 I am assuming that you did something in the background to have that cookie at that TAB as well. So I am suspecting this is not a TRUE Simulation of that Attack ? what do u say @learnWebCode?. But i do like this video content FYI
I don't recall doing anything off camera for that cookie example, at the time I recorded it, it was reproducible by following along. Is it possible you were using a privacy focused web browser like Brave? In one of my examples I remember the CodePen CSRF attack example was only possible in FireFox but not Chrome.
Hi, what is exactly stored in the session id cookie in the browser? I thought it would not change during the session, but I noticed if you add an extra key/value pair at the session at server side with Flask, the cookie at the browser is changed too. Can I read/decode actually what is stored at the browser with the flask secret key? And why is the session id cookie changed? Thanks in advance!
Thank you for an excellent explanation. I have a question. How would session cookie can prevent a malicious user to gain access? Session related cookie is stored on the browser like any other cookie and it will be sent back with each and every request. It's similar to the example you have in the earlier part of the video where a malicious user sends a POST request.
Can you give an example of the type of malicious user / attack you have in mind? I'm not sure I understand your question. If we require a CSRF token along with the cookie's value then other malicious site's can't make successful requests on our behalf because they don't have access to the page/DOM with the CSRF token in it. Do you mean if someone physically steals someone's laptop and looks in their browser's cookie values? Or if our site is compromised and is serving up malicious JavaScript to our visitors?
@@LearnWebCode actually you are right, CRSF token along with session Cookie value should prevent malicious user's request. Shouldn't CRSF token also prevent malicious requests even if someone steels the laptop and gain access to browser cookie values ? Besides, session cookies, I was also thinking what possibly can a malicious user do to gain access to JWT token and use it to make successful requests ?
This is one of the best videos I've seen on development, period
Thank you! Glad it was helpful.
I know someone is an amazing teacher when I start watching their video and I don't have to go back in time 10 times in every 2 minutes just to somewhat hang onto what they are saying. With your approach I just watched straight from start to finish and understood everything. I'm a really dumb person and it takes me frustratingly long to understand things compared to others. So I know you are a great teacher because watching this I actually felt smart.
I have spent many many weeks reading about authentication, authorization, cookies, sessions, JWT, OAuth, etc. in order to implement my own backend from scratch. Little by little I'm ordering all the knowledge to get a clear idea of how all of this work. One confusing aspect was how and when to use a database or not. This video has helped me understand it better. Thank you!
Thank you so much Brad. I'm currently at a coding bootcamp and I am constantly reaching for your videos first to supplement my learning. You have such a great way of explaining things! Really appreciate all your hard work :)
All I can say is WOW. This is how to teach
Listening to Brad is like a warm cup of tea.
Brad is awesome teacher and his teaching skills is just superb. thank you Brad and Wish you a Merry Christmas and Happy New Year!!
True...One of the great 👍
+1 he's one of the best out there! I like his style of easing in into a concept then expand on it and practice it. superb teaching skills!
One of the best videos I have seen on Web Development. Hats off!
One of the best video covering Cookies, Session and JWT. Thank you so much, it has helped me to get answers to the many question I had for long time.
As a Jr Developer the only thing I can say to you is: Thank you! Nobody has ever been so clear about a very complex topic and explained in such detail the pros and cons of every approach. You just gained a subscriber.
I'm so greatful that people like you exist. This video was so informative, thank you so much.
I love the way you explained everything in detail.
Your videos refreshed my knowledge of web technologies.
Thank you.
Hi brad, i am a french developper and i have rarely seen a so much good quality of teaching! i directly subscribe to your channel. and i am going to take a look to your training on udemy!
Very clear description. Got the concepts across better than any other video I've watched.
I love the way you explained everything in detail. Brad is such an amazing teacher!
You and Wes Bos are two of my favourite teachers. You both have the ability to teach complex topics. I have bought all your Udemy courses, always like and share your videos - I wish there was more I could do so more people could benefit from this.
I've taken two courses from Wes, he's one of my favorites! He once retweeted me talking about my favorite part of his JavaScript 30 series and it made my day/week 😂. Thank you so much for all the support!
@@LearnWebCode yes he made javascript click for me when i was very close to saying its not for me.
Bro this is exactly what I was looking for. Thanks a ton for making this masterpiece.
i love how you explain everything, thank you! really learned alot
The way your video presents information from start to end is amazing!
Damn, this video is good, like pure GOLD
Brad is such an amazing teacher!
Really, A BIGG PICTURE!
Thank you very much for this very interesting tutorial with your clear both engish and explanation.
Ačiū už pasidalijimą. Neseniai naudojau Morelogin ir jis apsaugo privatumą.
Thanks man. This is really a concise and comprehensive video.
Absolutely best web dev channel on yt at least imo
This is my first time watching your videos and I subscribed! You actually had answers to my questions
Excellent presentation! Exactly what I was looking for. A detailed explanation of the client side. Thank You!
This Literally has cleared lot of my doubts and confusions, I am really thankful to you Man, really good video !!
This was a great video. Very demonstration of how the tech works.
this is best i have seen on sessions.
Thank you so much, you'r such an amazing teacher
You made my Life easy, Keep your great work
Waww. Great video: very well explained, showed how it works, pros and cons!! 10/10. Well done, Brad!
Thanks for this wonderful and concise presentation!
Thanks a lot for making this video! That was explained nicely!
Amazing tutorial! Thanks
Omg absolutely amazing video!!! It was so helpful for my fullstack project with authentication.
Thank you, very clear and super helpful tutorial.
thank u man for absolutely amazing work that u do.
Hi Brad,
It was a great video! People are still unaware of important things such as cookies and web tokens, and you sharing insights and information about them will definitely help a lot of viewers. I did know about them, but I still enjoyed watching this video a lot. Thanks a lot for sharing such an amazing video. It was very informative, and I am sure it will add value to many lives. Looking forward to watching more amazing videos from you!
WOW What a Perfect explanation !
Amazing teaching. Seeing the big picture helped me a lot, thanks!
Thank you so much! Clear explanation delivered in a pleasant, enjoyable way! Who knew persistence could be such fun!😊
Thank you for sharing very interesting web topics, Cheers
Thank you for sharing your knowledge with the rest of us
Great video! You really explained everything in only 45min, i love it!
Wonderful! Super well explained! Thank you
Great video mate, clear and concise, I'll be sure to check out your courses soon :)
❤❤❤❤❤❤❤. I'm requesting to you please make more and more videos over the technical concept like this videos.
I so needed this. I loved it. Amazing.
Best explanation so far ❤ thank you
awesome video! THANKS for the GREAT information!
best video so far!!!!!!
Really really a great content and presentation. Thanks so much
Great Explanation, Thank You
Excellent explanation - just what I was looking for!
awesome tutorial dude! keep the good work up!
Awesome teacher !!
Super cool video and you also explain things super clearly. Thanks a lot!
Excellent explanation, than you so much.
Excellent video - thank you very much.
That's very detailed. Thanks brad!
Great introduction, thanks!
I am sad this video is older than one year and only just about 30k. Thank you..
I bought all your udemy courses. Thanks for this series.
In a word, an awesome expression
I got my ideas clear after watching this video. just a question, can we make it like jwt maintained in cache only instead of local storage?
I feel I just got fatter with all this talk of cookies
Great video!
Thanks for the Big Picture!..
I cant be thankful enough.
Thank you, Brad. Great video clarifying a couple of things we sometimes use without fully understanding. I will check your Udemy courses for sure. 👍
very helpful video, I love you Brad!
Your git and wordpress curses on udemy make me real developer thanks a lot
Thanks a lot. Very clear explanation
wow this what was lookin' for.asante sana.
how i can like this video thousand times?👍👍👍👍
Thanks for the video. What mic are you using please?
Very very good lesson. Thanks man. Can you say to me how i run ahrefs on my subdomain?
Hi Brad, How session ID(connect.sid) is stored in cookie @20:43 . In the code you never set cookie in the response. and @20:43 _csrf should be in hidden input value but why it is in cookie. I re-watched so many times still couldn't understand. Can you help me please?
Hi, we didn't manually write the code to store connect.sid as a cookie, but the express-session NPM package does that for us. The _csrf cookie is created automatically by the csurf NPM package; it stores that cookie so it can use it to validate the hidden input value.
@@LearnWebCode Thank you Brad ❤
At 17:00, the hidden field can easily be seen the inspector mode. So, what about that??
Or I guess, the token would be random each time.
Hi, that's okay because yes you as the visitor of that legit page can view the inspector / source, but we're just trying to prevent other sites from making requests on our behalf and taking advantage of our cookies being automatically sent without us knowing. In this case, those other sites can't view the DOM of our page. So yes, they can try to send a request on our behalf but it will fail without that hidden field value. Or I guess you could say, that hidden field protects us from CSRF not XSS.
miammmmm ça semble sacrement délicieux merci !
How I should thank you... This helped me a lot
Great video.
brilliant
Thanks for a great session Brad!! It was wonderful.
Have a query , Is it possible to use JWT stored in local storage for a multi page application?
I understand that If we use session cookies, on every Page Load / Page redirection cookies will automatically be sent in the browser GET request.
How can we handle such scenarios if JWT is stored in local storage?
amazing! thanks!
thank you so much ❤
Bro went like .. this video is sponsored by me lol
There's something wrong here when u are trying simulate the CSRF attack, I don't see Cookie being sent to Server from another TAB when i reproduced it, even when i opened the other tab Application Storage , i dont Cookie being shared across the browser TABS.
and i don't see cookie being sent and it works perfectly with FAILED message. So at #13:10 I am assuming that you did something in the background to have that cookie at that TAB as well.
So I am suspecting this is not a TRUE Simulation of that Attack ? what do u say @learnWebCode?.
But i do like this video content FYI
I don't recall doing anything off camera for that cookie example, at the time I recorded it, it was reproducible by following along. Is it possible you were using a privacy focused web browser like Brave? In one of my examples I remember the CodePen CSRF attack example was only possible in FireFox but not Chrome.
Hi, what is exactly stored in the session id cookie in the browser? I thought it would not change during the session, but I noticed if you add an extra key/value pair at the session at server side with Flask, the cookie at the browser is changed too. Can I read/decode actually what is stored at the browser with the flask secret key? And why is the session id cookie changed? Thanks in advance!
this is gold
You are great sir
Easy understanding
For login, what should we use cookies or localstorage?
Thank you!
but what if we store the jwt as the cookie right ,just came in my mind
Sir u r amazing...❤️❤️❤️❤️❤️
Thank you for an excellent explanation. I have a question. How would session cookie can prevent a malicious user to gain access? Session related cookie is stored on the browser like any other cookie and it will be sent back with each and every request. It's similar to the example you have in the earlier part of the video where a malicious user sends a POST request.
Can you give an example of the type of malicious user / attack you have in mind? I'm not sure I understand your question. If we require a CSRF token along with the cookie's value then other malicious site's can't make successful requests on our behalf because they don't have access to the page/DOM with the CSRF token in it. Do you mean if someone physically steals someone's laptop and looks in their browser's cookie values? Or if our site is compromised and is serving up malicious JavaScript to our visitors?
@@LearnWebCode actually you are right, CRSF token along with session Cookie value should prevent malicious user's request. Shouldn't CRSF token also prevent malicious requests even if someone steels the laptop and gain access to browser cookie values ? Besides, session cookies, I was also thinking what possibly can a malicious user do to gain access to JWT token and use it to make successful requests ?