Decide how to do authentication in regards to scaling

[erikhofer]

Idea: Use JWT instead of session IDs.

Pros:

• no session cache is needed -> scaling is easy
• permissions can be included in the token

Cons:

• tokens can't be revoked or modified
• expiration is absolute and not relative to last login -> "remeber me" is not as predictable

Notes:

• CSRF token is still needed because JTW must be saved in a http-only cookie to be XSS safe

[erikhofer]

A good approach would be to have an API gateway that is hit with a session ID and talks to the backend with a JWT. This combines the pros of both. However, we probably want to use an existing load balancer (ELB?) and not a custom one.

For now, we should stick to Spring's built-in sessions. When we have to scale up, we can reconsider this issue (implementation should be easy enough to change). A distributed session cache is still a viable scaling solution.