|
|
|
|
|
|
by cjcampbell
2733 days ago
|
|
|
An oversimplified version of the arguments against JWT for session management (as well as the JOSE specification for signing and encryption) ... 1. The specification has points of ambiguity that have led to a number of flawed implementations.
2. JWT is saddled with unnecessary complexity which also contributes to recurring implementation flaws.
3. JWT increases the complexity of session revocation in contrast to a simple, stateless session ID. The arguments and counter-arguments are a bit more involved, but be aware that by the time you account for the downsides, you may have negated the value you hoped to gain from stateless web tokens. If you can use a simple session id, use it. If you need JWT to support external authentication providers, use a short expiration and swap the (fully verified) token for a session id. |
|
|