re: Be careful of the JWT hype train VIEW POST

re: Yeah you are assuming that it identifies the user who are using it but the SSL only identify the computer itself is being used but the problem is t...

šŸ˜µ in a nutshell, we already have session and ssl, the encryption is done by ssl and the identification is done by the session (or cookies or token). SSL is not about identification but that it is possible with a session that it doesn't require a special tool to configure.

So, why we need JWT? To replace ssl and session/cookies? Not really, we still use ssl and or session.

JWT allows a way to not have to check a central DB for every request to say an API. Albeit not w/o drawbacks as covered by this piece. So instead of -- 1) receive request, 2) look up user's session for info and to determine if it's valid, 3) serve user request -- with JWT you can eliminate step 2.

As the author describes for most small and medium sites, validating a request against a central session store is really not that onerous. It's only when you get into Netflix territory - then you have to worry about how to distribute all that state where it's always available and accurate in real time for any service that needs to authenticate the user.

code of conduct - report abuse