Popular posts

Nicholas Wiersma

Software developer, general human being.

Sep 1, 2016

As with most things, this depends on your use case. In API's JWT is the probably a better choice. In a front end server side application sessions are probably the right path. That being said, there are use cases where you need to use JWT instead of sessions and visa versa. There is no one way with this.

SD

Stephan de Vries

Full stack developer, enthusiastic about new technologies.

Sep 2, 2016

Thanks for the answer! In my particular use case we want to log users in. JWT seems like a bad choice for this, because it seems insecure as tokens cannot be invalidated. If somebody could steal a user's token, it'd be able to perform unauthorised actions. So I guess the real question is: Are JWTs really that bad for authenticating users in a website? Would you rather user JWTs or HTTP sessions?

What would be your choice?

NW

Nicholas Wiersma

Software developer, general human being.

Sep 2, 2016

From what you have said I assume you are building server side application, if not, that would basically invalidate this response. With that assumption intact, sessions are definitely the way forward. They are easier to deal with and reduce the logic needed. I would always go for the simpler option.

Just to be clear, JWTs are not insecure. Uses of JWT's are insecure. There are implementations of OAuth2 that use JWTs, can invalidate the token, and are secure.

Search Hashnode