|
|
|
|
|
|
by throwawaymath
2734 days ago
|
|
|
> Yes, jwt is not ideal. But this talk that you should never ever use them and your service will be immediately hacked etc is silly internet bandwagoning. I never said you should never ever use JWT or that your service will be hacked if you do so. In fact, if you kindly reread what I wrote you'll see that I explicitly mentioned there are legitimate use cases for JWT. I am specifically refuting the use of JWT as an authenticated session management system. > Anyone reading this, please do not over think this advice and just ship with jwts if that is what you have. This is poor advice. 1) Authentication is sufficiently solved for most workflows and applications that you can use turnkey solutions for more secure and more performant authentication than JWT. 2) What exactly is the scenario you envision in which JWT is all someone has? Do you mean they're forced to use stateless session management, or that JWT is literally all they can do for authentication because nothing else is available? |
|
|
Good luck using session cookies with Cordova on iOS, for example [1]. In cases like these JWT is perhaps your only option.
[1] https://issues.apache.org/jira/browse/CB-12074