Thread

Michael Merritt

I love all things Mobile and HTML5

Oct 17, 2015

How was your experience with JSON Web Tokens (JWTs) and when should we use it?

When I build any web app (API driven or not) I usually go with usual cookie based authentication. But lately there have been many improvements in JWT. If you are using JWTs how was your experience? Also it would be great if someone could give some insights on when JWTs are useful as opposed to traditional cookie based authentication.

#jwt #nodejs

Responses(2)

Remco Boerma

CTO@NPO, python dev, dba

Oct 19, 2015

Thanks for pointing out JWT. Didn't know it existed, but will surely find out more about it.

Grim Mostert

Oct 20, 2015

If you are using node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512) please update to the latest version. See jwt.io for more information on the vulnerable libraries. (Updated 2015-04-20)
This is a guest post from Tim McLean, who is a member of the Auth0 Security Researcher Hall of Fame. Tim normally blogs at www.timmclean.net.

auth0.com/blog/2015/03/31/critical-vulnerabilitie…

For implementations, see jwt.io

I would personally stay away from JWT except for pet projects, HTTP-only + Secure cookies have been around for a long time, have been tried and tested, had their vulnerabilities fixed whereas JWT might still have plenty of flaws in it to be discovered.

There are four ways modern applications generally authenticate ...

outsource your authentication to an Oauth-like provider and hope they don't get compromised,
keep a session per user (which is horrible for scaling unless your load balancer can send all the requests from that user to the same server),
generating a token and keeping it in some sort of database and authenticating each request against that database (this is my preferred way of building authentication, all components can be built stateless without sessions and it scales well)
and lastly building a complicated token that contains all the authentication details, it's the same as the previous one, except that the token is not stored in the database and your backend has to decrypt the token to validate if it's a valid token

The only problem I have the last way of authentication is that if somebody figures out how to re-create your tokens, they can log in with any any account whereas with the third way, you generate a secure-GUID which is completely random and unless you can match that random token, you can't login.

Search Hashnode

How was your experience with JSON Web Tokens (JWTs) and when should we use it?

Responses(2)

Recent threads