|
|
|
|
|
|
by edude03
2723 days ago
|
|
|
I think you are confusing the technology with the implementation here. JWT the technology is essentially a way to issue a token and validate that the token is legimiate. No one said anything about stateless authentication. If you're going to use cookies, and I recommend that, you need to put something in the cookie, cookies don't magically implement authentication for you. If for some reason you're not using the framework's way of authenticating with cookies, I'd recommend using JWT. Is there something else you'd recommend? Just use cookies is a hand-waving answer in and of its self. |
|
|
No one needed to mention anything about stateless authentication because enabling stateless authentication is the purpose of JWTs [1].
Yes, just store a signed cookie with a random token for the session and use stateful authentication. That fits most people's needs better than stateless. (Even signing is more or less optional in many common cases. If the cookie is only a sufficiently long random token for the session key, then I don't really care if a user changes it, they'll only log themselves out.)
[1] - https://jobs.zalando.com/tech/blog/the-purpose-of-jwt-statel...