[tmikaeld]

Was about to write a rant that it's still not better than cookies & sessions, something that has been standard waay longer than JWT.

But this video says all I have to say (2018):

https://www.youtube.com/watch?v=JdGOb7AxUo0

1 sec takeaway (More in the video):

https://i.imgur.com/vUYTYfS.png

That said, JWT's are great for stuff like 2-Factor via email link or redirecting from one domain to another. Single use, which it was built for.

[nijave]

That video is ridiculous. The whole time is spent talking about how cookies are superior to local storage which has little to do with JWT. You can use JWT and store it in a cookie. Session cookies are most certainly not automatically signed. Signing a session ID provides absolutely no value (signing claims, however, does). Revocation is exactly the same for both of them. JWT has a standard jti field for the session ID. I'm also not sure why you'd store all of a user's information in a JWT. You can just put in the minimal information to accomplish what you need.

[tmikaeld]

If you cryptographically sign the session cookie, as suggested in the video, then you accomplish the exact same thing as a JWT token - so, then why use JWT at all, if you going to look up the session data from the database in any case.

JWT was meant to be stateless, if it's not, then it's just a layer of unnecessary complexity with potential security and implementation flaws.

[blablabla123]

JWT is basically a spec for how to sign the session cookie. Correct me if I'm wrong but there are 2 fundamentally different ways to do user session management: a) user has a random key that can be compared to stored key (DB, Redis, ...) b) signed session information, probably stored as cookie.

It's possible to add additional information in a JWT. And of course it's complexity that adds additional attack surface, but at least there is some kind of standardization around it.

[dwaite]

Nit: JWTs are leveraged to cover a wide variety of use cases outside sessions.

[to11mtm]

My favorite use for JWT was actually on the backend for Frontend-to-service-to-service auth. It was actually a pretty natural way to flow the user context around without getting ugly with our API calling conventions.

Basically, Clients all used NTLM to talk to the main site, but the main site would use JWT to pass the authenticated user info to the other services being called. The signature ensured that you couldn't spoof, short of being an authorized user that could get an impersonate token for calling the APIs.

But the nice thing was it meant we didn't really have to hit the DB at all in any of this, and it was way cheaper to implement than an API gateway.

[foray1010]

depends on if need to call other apis like microservices, you can use the JWT on behalf of the user to request the contents from other services. JWT also introduces `scope` which determine services user consented and allowed your backend to call. These things are not supported by a simple session cookie.

[Spivak]

I mean they're not supported OOB but you're just describing a session cookie with some signed metadata. If "the ecosystem" and interoperability with existing services is the goal then has the advantage.

If you're talking about something bespoke then it probably doesn't.

[dwild]

> you're just describing a session cookie with some signed metadata.

Isn't that JWT?

[sk5t]

Delegation via JWT replay downstream? Maybe, I guess, if those other services all have the same "aud(ience)" requirements, or don't bother checking audience. Probably not a design to hang one's hat on.

[idoubtit]

That's precisely the use case for JWT I recently had to work with, where cookies are irrelevant.

The web server gets a token from the API server, then prepares a few JSON messages that the web client will send asynchronously with JS. Since each message content is signed, the web client can't tamper with what is sent to the API. JWT was perfect for this 3-tiers messaging.

[Spivak]

I mean is all this complexity really worth "I can send data to an untrusted client so that it can later send it back to me?" compared to just storing that data somewhere like Redis?

[Arnt]

Then you have to provide a consistent view of the database across all server nodes, and the database updates need to propagate to all of your servers more quickly than the clients can issue requests. How complex is JWT compared to that?

[Scarblac]

He never said "back to me". Back to somewhere. That may or may not know that Redis exists.

[peeters]

Yeah I was hoping for a fair comparison but it seemed like a pretty big strawman. Like he just takes it for granted that "a session cookie is a cryptographically-signed identifier" but that's not remotely standard. At its most common (looking at you, JSESSIONID), simple form, the session cookie is a securely generated random number that is used as an index for state, and signing plays no part. The presenter then goes and talks about how cookies can be used to store other pieces of data in a stateless way, but it all branches from this premise that cookies are crypotgraphically signed, which isn't historically true.

[user5994461]

Author here. Random identifiers and encoded objects are both widely used historically. Random cookies might have been more common 2 decades ago when every byte was expensive, but that was a while ago.

If you work mainly in Java for example, you'll more often see JSESSIONID which are random string identifiers, referring to a database containing active tokens and user profiles.

However if you work in Python, you'll more often see objects. Typically something like a user identifier + creation date + random bits, that is encrypted with a symmetric key. It's usually encrypted, not signed, so yet another thing than signed tokens and random cookies.

[nijave]

Sure Django and Flask use secure session cookies but that doesn't automatically make them all secure or signed/encrypted. Most cookies are plain text and there's no reason they need to be secure (they just contain user metadata not auth information)

[schnable]

JWT has many uses that have nothing to do with web browsers. The author doesn't mention anything about web browsers in the post. This line of JWT criticism needs to go away unless JWTs are being discussed specifically in a browser-based scenario.

[com2kid]

JWTs are nice because the same authentication scheme can be used for applications and websites.

Basically a bunch of endpoints can be put up, and if they use JWTs, it is easy to hit those endpoints from any type of app.

Cookies can of course be used, but that requires pulling cookie jars into native code. Perfectly do-able, but also super awkward and potentially error prone. e.g. I remember using apps on Windows that required me to clear my Internet Explorer cookies if the native app's auth got into a broken state!

(Things aren't that bad anymore)

JWTs are also nice because I can easily write services that authenticate to each other. I can have a service running on my backend that authenticates its limited access service account, gets a JWT, and goes and talks to another service. Could I pass around cookies? Sure, but it'd be more work and more complicated than "attach this JSON blob".

Cookies are nice if everything is browser based, but I'd argue that isn't the best way to build services.

(And finally, the amount of time I've spent debugging JWT issues < the amount of time I've spent debugging cookie issues!)

[ascotan]

There is no need to write to a cookie in server-to-server auth, just pass an auth token back in a custom header. No JWT required. Cookies are for offline users.

[com2kid]

> just pass an auth token back in a custom header.

At that point why not just use JWT?

If my auth service provider already uses JWT (which it does), and all the platforms I am writing on have a provided library that consumes JWT (which they do), then why would I go with a custom header?

Also having uniformity of code patterns is nice.

My web service uses the same authentication scheme as my native apps. Heck my backend DB knows how to look JWT tokens and apply permissions correctly.

[snak]

Well, for a long time there was no SameSite browser support for cookies, CSRF was a vulnerability (excluding STP and other techniques to avoid it).

[tmikaeld]

You're right, SameSite became properly supported just a year ago for the majority of browsers.

Reference:

https://caniuse.com/#search=SameSite

[shkkmo]

We use JWT for doing time and ip address limited cross domain redirection. We also use it for partners who want to provide sso access to our site with having to implement a full oAuth. They just provide us with their public key and use any of a number of libraries for to generate a JWT with the ip address and an short expiration and an email. Once we receive a JWT key and validate it using their public key (and other associated fields) we establish a standard cookie session.

[stazz1]

This sounds like the [only?] intelligent (and also unintendend?) use case for JWT

[zaiste]

I've written such a rant almost a year ago. [1] The article shows how to build a « RESTful » API secured with sessions implemented using regular cookies: simpler & without unnecessary complexity.

[1]: https://zaiste.net/creating-secure-rest-api-nodejs-without-j...

[Scarblac]

That's nice, and how it was done for decades. But I'm looking at JWT in a context where we have an application with a REST API, third parties paying us for licenses want to write frontends running on their own domains using to that API, and authentication servers are run by end user organizations that manage their own users.

Our API knows that that organization's auth server is allowed to sign tokens, the third party frontends can obtain those tokens and send them to our API, and it works (or so I hope, I'm in the reading up on all this stuff phase). Sessions using regular cookies just don't.

[codezero]

I don’t see any mention of cookies in that post except about an upcoming post. Does your framework provide the persistence on the client side for authentication, or does it rely on the client to maintain that token?

[hujjji]

I have implemented JWT with not much java code and only supporting one encryption standard.

It was easily implmeneted, easy to understand, secure by design and not open to any of those security issues because there was no magic lib which would have allowed for some downgrade attack.

And what did it actually solve? Session stickyness. Simple and easy.

[twic]

JWT is just a particular format for cookies.