Comment by Grim Mostert on "How was your experience with JSON Web Tokens (JWTs) and when should we use it?"

If you are using node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512) please update to the latest version. See jwt.io for more information on the vulnerable libraries. (Updated 2015-04-20)
This is a guest post from Tim McLean, who is a member of the Auth0 Security Researcher Hall of Fame. Tim normally blogs at www.timmclean.net.

auth0.com/blog/2015/03/31/critical-vulnerabilitie…

For implementations, see jwt.io

I would personally stay away from JWT except for pet projects, HTTP-only + Secure cookies have been around for a long time, have been tried and tested, had their vulnerabilities fixed whereas JWT might still have plenty of flaws in it to be discovered.

There are four ways modern applications generally authenticate ...

outsource your authentication to an Oauth-like provider and hope they don't get compromised,
keep a session per user (which is horrible for scaling unless your load balancer can send all the requests from that user to the same server),
generating a token and keeping it in some sort of database and authenticating each request against that database (this is my preferred way of building authentication, all components can be built stateless without sessions and it scales well)
and lastly building a complicated token that contains all the authentication details, it's the same as the previous one, except that the token is not stored in the database and your backend has to decrypt the token to validate if it's a valid token

The only problem I have the last way of authentication is that if somebody figures out how to re-create your tokens, they can log in with any any account whereas with the third way, you generate a secure-GUID which is completely random and unless you can match that random token, you can't login.

My experience with jwt was pretty good. As you might know token based authentication provides you an auth token that is used to authenticate user request.Token based authentication is a new concept and is prominent everywhere nowadays.There are some advantages of token based authentication against server based and session based authentication. So there are no special conditions to use it,token based authentication replaces pitfalls of session and sever based authentication. So it should be used in place of the other two.And also tokens generated using jwt can be stored as http-only/secure cookies in request header.

Search Hashnode