Skip to content

re: How I Fixed JWT Security Flaws in 3 Steps VIEW POST


Awesome post, thanks for sharing!

Question if i may:
I am working on legacy project that has sessions already in use. I have to add authorization part and i decided to use JWT, to avoid making extra request to session store.

Is it a good idea to use sessionId as secret when ever is needed to verify/sign JWT.
What you think about this idea, just to use sessionId as secret which is always unique for each user. In theory, this should make things more secure?


Hi, glad the article was helpful!

Two of the main advantages of JWT are:

  1. A signed hash to validate that the token was not modified
  2. A unique user identified is embedded in the JWT

How do you plan to implement #1 only with a session ID?

Unless your session ID is unique for each user and is permanent across time, you will still need to map each session ID to a real user in your database, defeating #2.

code of conduct - report abuse