'How "strong" auth-token has to be?

Following this tutorial to implement my authentication authorization for my Next.js + Vapor app: https://maxschmitt.me/posts/next-js-http-only-cookie-auth-tokens/

enter image description here

Is it any requirement how "strong" auth-token should be? Can I use the ID of the user for it? Cookie can be edited from browser by user manually, right? If I just use a userId, and someone figure out someone else's id, he can pretend others identity, right? So I guess I have to generate for each login a session id, and from it in backend decode the userId, right?

authenticationauthorization


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

enable Apache http Authorization header

Blazor @attribute [Authorize] tag is not working

Prevent database access outside the application

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Authorization in ASP.NET Core. Always 401 Unauthorized for [Authorize] attribute

Sonarqube authorization - how to authorize with sonar-maven-plugin when sonar.forceAuthentication is enabled

How to set token in authorization header in flutter Dio post request

Subscription-scope authorization for Azure Resource Manager API user

Does an OAuth Consumer validate a bearer token with the OAuth provider on each request

Https twice on my redirect_uri shopify when trying to authorize my application

Is there a way to Redirect in AuthorizationHandler in .Net 5?

Set default header for every fetch() request

ahrefs.com authorization using python requests

nestjs return undefined in Public Guards

ASP.NET 5 Authorize against two or more policies (OR-combined policy)