Menu
I know that JWT could be used to replace the cookie/session based authentication, and we used that in the previous project, and I understand that using JWT has a lot of benefit such as stateless, CDN support, avoid csrf attack, better to support cluster ENV etc.
However, I'm very confused on whether JWT could totally replace Session? If we want to fully leverage JWT to keep all the session state, then it means that anytime the server backend want to add any state into session, instead of doing that, the serverside have to re-generate a new token with that info and client side have to update the newly generated token, I doubt whether it's the right way or not?
And if we only leverage JWT to support the authentication and keep only user credential info, although the authentication service could be de-coupled as the standalone micro service, the session would still be necessary for the business service backend if we want to keep some session state, right? While reading spring document, it recommend to leverage Redis to save session state to support cluster env.
Overall, I'm very confused on whether JWT could be used to fully replace session or not?
Thanks a lot.
447
Many web applications use JSON Web Token (JWT) instead of sessions for authentication. In the token based application, the server creates JWT with a secret and sends the JWT to the client. The client stores the JWT (usually in local storage) and includes JWT in the header with every request.
One of the “issues” with sessions is scalability. The argument is that sessions are stored in memory and servers are duplicated to handle the application load, therefore, limiting the scalability of the application. JWT, on the other hand, has higher scalability due to its statelessness.
Session management can be implemented either using the “Session-Cookie” based approach (and is still used in many web applications), or can be implemented using the JWT approach (which is a newer approach, and is frequently used in mobile and web apps).
JWT authentication However, while the session-based flow relies on storing all the necessary state in a database and looking it up on every request, in the JWT flow all that context is self-contained in the string being sent back to the client.
(This is not an answer yet. Just some info I have collected so far. I am having exactly the same question. I will change it to an answer when I thoroughly solve this question.)
So far, I think JWT can be used to replace session+cookie as far as authentication is concerned. But session is not just used for authentication, it is actually more meant for a user-specific data storage. I am not sure if JWT can replace session for that purpose given JWT's size limit (described below). And IMHO, authentication just happened to be one of the use cases of session since such info must be user-specific.
If you use JWT in place of server side session, you probably will store the JWT as HTTP header. And more likely, as a Cookie (see here). But there's some size limit on the header and 4K for cookie. If you go with server side session, I don't think such limit exists.
And this article list some caveats of JWT.
ADD 1
And below is a similar thread questioning whether JWT can totally replace session storage. I just added some more answer there. Please do take a look.
Do i need session store using JSON Web Token tokens ? Why not just using cookies?
ADD 2
If we store JWT as cookie as my first link above, isn't it a re-implementation of signed-cookie?
The answer is here: Shall we store JWT as a cookie?
And another question of mine: Token based authentication and scalability? An illusion?
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
