|
|
|
|
|
|
by unscaled
3261 days ago
|
|
|
I generally agree with your conclusions, but I don't understand why you compare JWT to cookies. These technologies are completely orthogonal. JWT can be stored in cookies and whatever you put in traditional cookies can generally be stored in local storage. The right comparison is JWT vs. session tokens stored in DB or KVS. Or in case you already decided against storing sessions in DB, you should compare JWT against rolling your own crypto. With this approach, cookies should be thought more as a mechanism for storing and presenting session data, not as security mechanism. You can't rely on cookie expiry date for instance - if someone steals that cookie, they can completely disregard expiry, HttpOnly, Secure, Domain or whatever other property you stick to the cookie. Cookie expiration is basically worthless. Whether you're storing your sessions in a database or cryptographically signing them you should always add your own expiration mechanism. I've seen too many systems that blindly relied on cookie expiration for security, only to realize the implications later. |
|
|
You're right when it comes to terms. Allow me to clarify what I meant by Cookies and JWT in the explanation above:
I was referring to Cookies as the default storage for stateful session mechanism used by web frameworks that makes use of a random session ID with high entropy. It's the no-brainer approach to implement stateful sessions and (usually) doesn't require changes on the client-side but require you to store all sessions in a file/redis/db. And expiration that you pointed now makes sense, because I'm talking about the expiration of the session on the server-side, although Cookie has this mechanism which does little to prevent session hijacking.
JWT, on ther other hand, usually is stored on LocalStorage and requires some development changes on the JavaScript framework because it needs to read from LocalStorage, capture the JWT and send it in every request. With a web framework's default approach (that I used the term Cookies), it's seamless.