When I build any web app (API driven or not) I usually go with usual cookie based authentication. But lately there have been many improvements in JWT. If you are using JWTs how was your experience? Also it would be great if someone could give some insights on when JWTs are useful as opposed to traditional cookie based authentication.
If you are using node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512) please update to the latest version. See jwt.io for more information on the vulnerable libraries. (Updated 2015-04-20)
This is a guest post from Tim McLean, who is a member of the Auth0 Security Researcher Hall of Fame. Tim normally blogs at www.timmclean.net.
auth0.com/blog/2015/03/31/critical-vulnerabilitie…
For implementations, see jwt.io
I would personally stay away from JWT except for pet projects, HTTP-only + Secure cookies have been around for a long time, have been tried and tested, had their vulnerabilities fixed whereas JWT might still have plenty of flaws in it to be discovered.
Remco Boerma
CTO@NPO, python dev, dba
Thanks for pointing out JWT. Didn't know it existed, but will surely find out more about it.