[cryptica]

That article doesn't contain a single logical argument.

>> JSON Web Tokens are Often Misused

So is everything else. Name one programming concept which isn't often misused.

>> There were two ways to attack a standards-compliant JWS library to achieve trivial token forgery

The keyword here is "were" - Just like how people in Europe "were" dying from the Bubonic plague - It doesn't mean that Europe is unsafe today.

The up-to-date reality is that JWT today has been battle-tested to an extent that few other web standards have. In a way, all the negative attention due to past issues has made it stronger.

>> JSON Web Encryption is a Foot-Gun... this is somewhat like pointing a gun with 5 out of 6 loaded chambers directly at your foot

...And using session IDs inside a cookie is like eating a cookie laced with cyanide.

[enumjorge]

Can you elaborate why session IDs inside cookies is dangerous?

[Supermancho]

I can manipulate my cookies. I can forge my servserside session id for session hijacking. This is what I understood.

[CiPHPerCoder]

> I can forge my servserside session id for session hijacking. This is what I understood.

Forge this. For each session:

    session_id = bin2hex(random_bytes(32))

Yes, you can change what you send to the server. But you can't hijack another user's session in this probability space (2^-256) by blind guessing. Instead, you need another way to leak their credentials to hijack the session.

[cryptica]

I didn't think so detailed but yes. My point was more that if you look at any technology concept, you will find vulnerabilities if it is misused.