[fastball]

Not really true if you use an access/refresh token system. The access token doesn't hit the DB for auth, the refresh token does. You have an access token with a lifetime of say somewhere between 1-10 minutes. If you want to invalidate a session, you just revoke the refresh token and any access tokens will be invalid soon after. In a system where a user is making 10+ requests in a minute, that can be well worth it to reduce stress on the DB without an appreciable loss in security.

[trinovantes]

Cookie sessions are usually stored in fast caches like redis so the performance hit is negligible. Most people will never reach the performance ceiling of a beefy single redis instance so why bother complicating the system?

[LanceH]

Even when storing the cookies in a database like Postgres, they are fast enough because it's obviously indexed, and it's probably cached in many usage patterns. JWT is solving a non-problem for most people. Now, if you're talking machines talking to machines, all owned/operated by the same entity, go wild with JWT's if you want.

[unqueued]

> Even when storing the cookies in a database like Postgres, they are fast enough because it's obviously indexed, and it's probably cached in many usage patterns.

If you scale up high enough, it does matter.

But beyond that, it is also about decoupling the server serving the content and the user database.

To give you an example, using a traditional session cookie model, whenever my server gets a request, it has to look up the associated session info, and then possibly join multiple tables to see if a specific user for that specific session is authorized to access that content.

There are going to be many joins involved. Even with good caching, it will still be a more complex operation.

Even if not computationally complex, it will be logically complex.

But when using a JWT, my server actually does not need ANY db access. It merely needs to verify the cryptographic validity of the included JWT header, which uses no IO. After that, it can safely trust any user metadata included in the JWT.

So, if a user has paid for access to all premium content after 2018, you would just include a field for that in your JWT payload. Done.

It depends of course on how your business data models work of course. But you can often put enough information in your JWT to cut out a lot of account processing logic.

> JWT is solving a non-problem for most people.

I think people are cargo culting JWTs.

[JodieBenitez]

> But when using a JWT, my server actually does not need ANY db access.

You don't need any db access with signed cookies either. Just stash your data in a signed cookie and you're done. Should you need more than 4k for session data, maybe it's time to rethink about what should be stored in the session and what should be stored in the db.

[imnotjames]

I know a good spec for signing json data to store it as a token here, too

[P5fRxh5kUvp2th]

When people talk about caching user information, access is one of the things cached. That complicated joining happens exactly as often with sessions as it does with JWT's.

[unqueued]

No, with JWT parsing it doesn't even have to look anything up, cached or otherwise. The JWT itself contains the information directly.

I could have a server that doesn't have any access to the database at all, and it could still render content for the user.

And if the server is for something critical, like purchases, it can still use redis on each request to verify that a JWT is still valid.

[P5fRxh5kUvp2th]

I was responding to this:

> To give you an example, using a traditional session cookie model, whenever my server gets a request, it has to look up the associated session info, and then possibly join multiple tables

It does this on initial logon and then stores it in cache. You can think of a JWT as cache as well.

The point is, it only happens once for both.

[jtchang]

How does this solve it? You still need to wait 1 minute.

[fastball]

What security context are we talking about where that 1 minute matters?

[leodriesch]

A person has accessed your account and you’ve noticed it via sign-in-email. You change your password.

Attacker now still has 1-10 minutes to access your account.

[P5fRxh5kUvp2th]

I have this rant about people creating problems for themselves.

A perfect example is when SPA's were created, but it broke browser history. So we get a new standard with the ability to edit browser history.

I feel like refresh/access tokens fall into the same vein. If you need that don't use JWT's. The choice of JWT is the problem here, refresh/access tokens are a workaround.