Hacker News new | ask | show | jobs
by jillesvangurp 1353 days ago
Paseto tokens don't really address any problem that is actually that important/relevant. JWT is good enough and when used properly have no security issues. Basically, sign them using a sane algorithm, distribute them over https and of course manage your private keys in a sane way.

Companies not capable of doing this properly have bigger issues that Paseto won't fix either. Such companies would do well to use products/frameworks based on standards implemented by people that do know what they are doing. And mostly those would rely on JWTs.
1 comments
blowski 1353 days ago
> When used properly

That's the whole problem. The majority of the time I've seen of JWTs, they weren't "used properly".

link
vbezhenar 1353 days ago
Can you describe typical problems you observed? I'm using JWT but I never gave much thought about it. It seems to work by default.
link
blowski 1353 days ago
One of the most common high-impact issues is failing to expire sessions. In one case, the expiration date was set to be a whole year - once a user had a valid JWT, the system would accept it for a whole year, even if the user's account was deactivated on day 2.
link