Menu
I'm looking into JWT as an alternative to traditional sessions with cookies but I fail to see how they differ fundamentally from signed cookies that for example Express is offering through middleware like cookie-parser.
In both of them, the last part is the signature of the payload which guarantees the payload hasn't been tampered with.
Signed cookie:
user=tobi.CP7AWaXDfAKIRfH49dQzKJx7sKzzSoPq7/AcBBRVwlI3
Equivalent JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiVG9iaSJ9.kCTlR_Igb4H5cqBEDedShM2ivSQijPQkWqN4pZAXb2g
Besides the facts that:
(1) JWT doesn't come with origin restrictions and that
(2) the cookie content is immediately human-readable, whereas the JWT content (header + payload) are base64 encoded
is there anything that gives JWT a clear advantage over signed cookies?
632
In modern web applications, JWTs are widely used as it scales better than that of a session-cookie based because tokens are stored on the client-side while the session uses the server memory to store user data, and this might be an issue when a large number of users are accessing the application at once.
The better solution (Modern approach) JWT is a token based stateless authentication mechanism. Since it is a client-side based stateless session, server doesn't have to completely rely on a datastore(database) to save session information.
To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server. It's never accessible (both for reading or writing) from JavaScript running in the browser.
JWT authentication However, while the session-based flow relies on storing all the necessary state in a database and looking it up on every request, in the JWT flow all that context is self-contained in the string being sent back to the client.
Beware of mixing the concerns: cookies are primarily a mechanism for storing data on the client, they aren't inherently an authentication mechanism - but we use them that way :)
The primary benefit of JWTs are the declared structure (JSON, with common fields) and the declared mechanism for signing them. This is all just specification, there is nothing special about it. But it is nice to have a common way of persisting identity assertions.
You still need to store your JWT in a secure fashion, and cookies with HttpOnly; Secure are the best option. This prevents the cookie from being read by the JavaScript environment, which prevents XSS attacks.
I've written some blog posts about JWTs, they contain more information that will help to answer your question:
Build Secure User Interfaces Using JSON Web Tokens (JWTs)
Token Based Authentication for Single Page Apps (SPAs)
Disclaimer: I do work at Stormpath. We sponsor open-source JWT libraries for Node.js and Java, which can be found here:
https://github.com/jwtk
If you are using AngularJS, we also implement JWT best practices out of the box with our Stormpath Angular SDK
154
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
