JWTs are not replacement of sessions. Although JWT covers the security aspect but they are not a valid use case for sessions and cookies. The objective of session is to have a session reference in the browser and the session information in web server/database. This allows easy invalidation of sessions as the application just need to delete the session from the server/database and invalidating the cookie stored in the browser. This also means that you can take advantage of browser's secure storage container for cookies. If we forcibly use JWT as sessions that we will be facing challenges because of following:
-Browser cannot manage JWT sessions.
-Have to implement token storage and management.
-Can only use storage visible to JavaScript in browser.
-No out-of-the box method to invalidate a single JWT.
JWT shouldn't be used for application level data and permission due to size of header. Recommendation is to keep the application data/permissions close to the application itself, rather than in a JWT.
Credit: It would be mean not to give credit to the person who taught me the concept so nicely Scott Brady
No comments:
Post a Comment