re: Be careful of the JWT hype train VIEW POST

FULL DISCUSSION
 

JWT is also praised because it features multiple algorithms of codification. It even shows it on its homepage.

Multiple algorithms is not a feature but a problem. We don't need +10 methods of codification but a single one that works everywhere. And so far, only HS256 and HS384 are cross-compatible.

One of the problems of the cookie-session is the session hijacking. JWT doesn't solve it, either for XSS or CSRF. So, what's the objective of JWT?.

Finally, if we want security then we must use SSL. And if we use SSL, JWT is turned redundant.

 

Actually, it's assumed that generation of JWT and exchange of it has to be conducted through SSL for security reasons.

So I don't really think JWT is redundant since it's use case is more suited for API gateway backend to authenticate API services of a given user.

 

But JWT assumes that both parties know each other, JWT doesn't address that problem.

Nah pretty sure SSL doesn't work this way.

Since that technology just provides you a encrypted tunnel.

It does not identify you as who you are as a user besides basic information of the computer you are using.

No, the raison d'etre of SSL is that each communication is safe, so it can't be read or modified by a third party, exactly what JWT promises.

Yeah you are assuming that it identifies the user who are using it but the SSL only identify the computer itself is being used but the problem is that you can have multiple ppl using the same computer. So it is not that specific to the point of that it identify the correct information the user is using at the specific point of time

😵 in a nutshell, we already have session and ssl, the encryption is done by ssl and the identification is done by the session (or cookies or token). SSL is not about identification but that it is possible with a session that it doesn't require a special tool to configure.

So, why we need JWT? To replace ssl and session/cookies? Not really, we still use ssl and or session.

JWT allows a way to not have to check a central DB for every request to say an API. Albeit not w/o drawbacks as covered by this piece. So instead of -- 1) receive request, 2) look up user's session for info and to determine if it's valid, 3) serve user request -- with JWT you can eliminate step 2.

As the author describes for most small and medium sites, validating a request against a central session store is really not that onerous. It's only when you get into Netflix territory - then you have to worry about how to distribute all that state where it's always available and accurate in real time for any service that needs to authenticate the user.

code of conduct - report abuse