DEV Community

loading...

Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

Collapse
branislavlazic profile image
Branislav Lazic • Edited

Then start elaborating yourself. Why session tokens shouldn’t be used? The point I see that OP made is actually fantastic. There is no advantage in using JWT over session based auth for simpler architectures. The whole implementation of stateless token authentication seems miles more complex in comparison with session based auth. The whole internet cannot agree whether access tokens should be stored in cookies or local storage, then it cannot agree whether the token should be stored/blacklisted server side or not, then how refresh tokens should be stored. Not storing JWT access token server side makes it hard for immediate invalidation which then, makes JWT way less safer than session.

Collapse
andreidascalu profile image
Andrei Dascalu • Edited

Errr, jwt shouldn't be stored neither in cookie or localstorage. They should be stored in memory (there's no perfect solution though, even cookies are vulnerable to csrf)

You should never need to invalidate jwts immediately, they should expire fast (a few minutes). To invalidate logins instantly there are a number of ways to do it. My favorite is an in validation marker. Any token with expiration date after an in validation marker will be rejected alongside any attached refresh token thus forcing the user to authenticate again.
You should never need to carry state in tokens. Tokens should help identify state for the backend.

Thread Thread
branislavlazic profile image
Branislav Lazic

Storing JWT access token in memory will make it vulnerable to XSS attacks. Fundamental of web security implementation is to presume that potential attacker knows how your implementation works. Storing access token in a cookie with httpOnly flag is a way to go. JS is unable to access httpOnly cookie. JWT indeed cannot be invalidated immediately without persisting some state which indicates that the token is invalidated or by rotating secret key used for its signing.

Thread Thread
andreidascalu profile image
Andrei Dascalu

Actually it's about the same. Nobody needs to "get" your token. Cookies are being sent on client side requests. Xss doesn't need to read your token, it needs to make requests on your behalf and can do so if your token is stored in cookie.

Forem Open with the Forem app