re: Be careful of the JWT hype train VIEW POST


I think there's way too much hype around it and people are using JWT because it's shiny!

I think they all suggest JWT because it's easy to setup and lots of tutorials about single page applications just re-iterate that since it can be controlled by JS.

So are cookies. Cookies are just an HTTP header. Any HTTP client can read and set headers. The cookies header also has 20+ years of security and functionality built in to it for browsers (HTTPS only, expiration, site scope, blocking access from JavaScript) and there are well known and understood fixes for issues like CSRF tokens for forgery.

Exactly. That to me is the weakest argument

There was a really interesting discussion one year ago about using JWT and the local storage here if you're interested:

This is my favorite resource so far on the argument JWT and sessions: Stop using JWT for sessions, part 2: Why your solution doesn't work

ps. doesn't use JWT for the session, just to store additional user info.

code of conduct - report abuse