re: Be careful of the JWT hype train VIEW POST


there are well known and understood fixes for issues like CSRF tokens for forgery.

These also add a stateful component to the API. If you want people to still be logged in after node restart or if you ever need to scale beyond one node, then you have to make sure your sessions/CSRF tokens are stored in a shared database (e.g. Redis). This creates extra failure modes to handle (session store down or overloaded) vs verifying the JWT signature. Session cookies are a great solution for many cases, but it has trade-offs too.

code of conduct - report abuse