Login via token (no jwt)

Hey everyone, you must know by the time, that storing cookies on a capacitor app is a really big challenge, so I need to know if this is a bad practice or not.

I saw on this community some post about it but doesn’t refeer about the security spects

The problem:
I can’t store cookies on a capacitor app, of course I’ll still trying, but it’s a stressful thing.
If we minimize the app, the user identity still there, but if we close the app, the identity disappear.

A workaround:
On creating a user record we store a UUID as a token on the db, and when the user login on the app the token is stored on local storage which remains even when the app is closed.
On the app we run a flow: identity=false & token=true

  • Call a server connect with https which makes a login and renew the token too (on db and local storage of the app).

Can I ask for some opinions about this?
I’ll like to handle by the thoughts of this community :slightly_smiling_face:

Thanks for reading.

PS: I know I can use jwt for this and it’s very secure, but I want to know about the risks of the method I described above

I don’t know the answer but I’m also interested as I have hit the same problem. I have gone with a similar approach.

An extra thing I have done is set a expiry for the UUID and check it has not expired also. Then on login it will change this new UUID if it has expired. Also means admin can revoke login at any time. Not sure if this makes it any more secure.