DEV Community


Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

samjakob profile image
Sam (NBTX) • Edited

No, session tokens should not be used today under any circumstances unless the developer is lazy or have not caught up on basics of web security in the past decade.

According to whom? Session tokens aren’t inherently insecure even if some implementations are.

And no, it is completely false that JWTs do not have expiration. It is actually their main feature that made the popular.

Nobody said they didn’t? He stated in the article that they have an expiry. The issue he’s illustrating is that you either have to choose between longer expiry durations (which is less secure and means you cannot manually expire the tokens) OR setting short expiry durations and essentially having little to no benefit over a session token because you have to access the refresh token and then generate a new JWT.

Short-lived token auth with automatic token update on every API call is the only secure way to battle intercept or leaking of auth info because it invalidates the token on the next response.

Well this is patently false. It’s ‘secure enough’ but so are many session token implementations - and they’ve been industry tested and used without fault. Short-lived tokens are still prone to their own security flaws such as the refresh token being leaked and at some point you’re going to have to exchange your shared secret or refresh token.

Forem Open with the Forem app