|
|
|
|
|
|
by uyt
1900 days ago
|
|
|
It's conceptually the same, but JWT implies a specific data format standard which might be a more involved change architecturally. I'm mentioning the cookie signature stuff because it can be added in an almost blackbox way at the web framework level. Whenever you send back something with set-cookie, also set a signature. Whenever receiving a request, check for that signature too. Though I guess it's not a good idea to try to "roll your own" if your web framework doesn't already support this out of the box. (same disclaimer, I am not a security expert) |
|
|