DEV Community

loading...

Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

Collapse
gramzivi profile image
Ivan

Authentication, authorization... well security in general, is not a simple thing that can be explained so easily. There is no mention of CSRF and XSS problems with sessions, session hijacking. Also, you said, "The major drawback of session tokens is that the logged-in users will get kicked out when either a different server deals with their request". It's not major, it's the reason why there is no serious modern APP that can completely rely on session tokens (even if you put everything in Redis, or have a separate authentication server). Also, there is no serious application that completely relies on JWT. Some things are better to keep in JWT, some things are better to keep in session. But if you have a website where security is important, you need everything you can get. Don't afraid of using a database or have one additional request every 15 minutes if that will improve security or stability.

Forem Open with the Forem app