Gaining an understanding of Session Cookies and JWT Token

I’m not sure if unsecure is the correct term. The problem is rather in access restrictions. If you give someone a repl to your server side elixir your secrets are just as well hidden as when putting them on the client in places where stuff is readable by javascript.

The subject is very broad… I’ve explained before why I think JWTs are useful here and why they don’t necessarily compare to session cookies.

Just so people don’t get it wrong, OWASP has a dedicated session on JWT (using Java) and considerations one should take into account when using it for authentication (it is here). It also has many considerations for all other kinds of authentication. Even cookie based session management.

At the same time it advocates the use of OpenID Connect as a widely adopted specification for identity providers and that protocol uses JWTs a lot. As do OAuth. They are not meant for your use case. Your architecture is a very simple web app that a session cookie might be enough.

In any case, I think that associating JWTs with an authentication system is not correct. I think it is a tool that has use cases as diverse as ensuring a signing and encryption set of algorithms implemented in a wide variety of languages in a variety of libraries.

But just to reiterate: your use case is simple and an HTTP session cookie with any opaque id (shouldn’t be guessable by the frontend) with httpOnly flag set is good enough security (nothing is 100% safe anyway). For other cases with distributed services that won’t be enough in my humble opinion. Nonetheless, you shouldn’t start with an OAuth/OpenID server if you don’t really know you are going to need it.

2 Likes

One more nail in the coffin with an opinionated video:

JSON Web Tokens Suck - Randall Degges (DevNet Create 2018)

As the presenter says at the end, it became popular mainly because of trendiness (and also in my opinion because neither authorization servers and API managers can manage states properly). The identity and access management guys were just bored :slight_smile: Even JWT use in OAuth2 is often questionable and risky.

But for authenticated session you better stick to plain good old cookies.

1 Like

Can the above statement be achievable using the cookie method I described @tangui?

Or is there a better solution for this?

Thanks in advance