|
|
|
|
|
|
by woloski
4541 days ago
|
|
|
Hey, Matias founder of Auth0 (https://www.auth0.com) here (we wrote the original article). re: cookies vs xss. Expanding on sil3ntmac comment, based on my experience, it's easier to protect against XSS than protecting against CSRF. For CSRF you have to be aware of: set your cookies to HttpOnly and have a xsrf mechanism in place (which is not straightforward and not the default in many web frameworks, even worse if you start combining technologies). For XSS, you just need to make sure any input is sanitized, which usually most of the web frameworks provide something built-in. Another interesting side effect of using JWT is that now you have a good cross-platform authentication mechanism that can cross boundaries. You can also achieve that with cookies, but you have to find the same implementation on different frameworks. We talk about this in this blog post about socket.io and json web tokens where it's very common to find PHP and node.js mixed. http://blog.auth0.com/2014/01/15/auth-with-socket-io/ We will write follow up blog posts about pros/cons, because as usual there is no silver bullet. |
|
|