1

I still cannot understand what is the main purpose of JWT. As for me the only purposes are:

  • to overcome CSRF
  • and to ensure better mobile support (because mobile apps in some cases don t support cookies).

Also there is a claim that with JWT you don't have to worry about session storage on the server side. This is not clear to me. How could JWT completely replace session storage on the server side? Does this mean that we put all session data into the JWT, encrypt it and send it to client on every response? But if so, does that mean the token that is issued by server will change depending on the data which we used to store in session? And as i understand the only thing that prevent us from using cookie this way(without session storage on the server side) is the size limit on cookie files - only 4kb.

Also do we still need to use SSL to prevent session hijacking? Please tell me if my understanding is right or there is some other aspects.

smwikipedia
  • 61,609
  • 92
  • 309
  • 482
Oleksandr Papchenko
  • 2,071
  • 21
  • 30

2 Answers2

6

I think there're too many legends about JWT. To understand its essence, we should get back to its original definition.

According to its official site:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

So essentially, what JWT offers is just a way to transmit data. No more, no less. And because multi parties are involved, the format MUST be standardized. And once the format is standardized, libraries can be made to facilitate its adoption.

Again from the official site:

When should you use JSON Web Tokens?

There are some scenarios where JSON Web Tokens are useful:

Authentication:

This is the typical scenario for using JWT, once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used among systems of different domains.

Information Exchange:

JSON Web Tokens are a good way of securely transmitting information between parties, because as they can be signed, for example using public/private key pairs, you can be sure that the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't changed.

So, Authentication is merely one of the possible use cases of JWT. Though it is indeed a typical usage of JWT.

As far as authentication is concerned, JWT can be used to replace session+cookie approach because it can save server's memory for storing sessions. But how big the benefit is depends on the user amount and your specific scenario. If there's only a few clients and no cross-domain authentication requirements, I don't think you need to give up the good old session+cookie approach.

Last but not the least, Session is not JUST meant for authentication. It is actually meant to place HTTP requests and responses within a larger context. I am not sure if JWT can replace session for that purpose given JWT's size limit. And IMHO, authentication just happened to be one of the use cases of session since such info must be user-specific. There are many other good scenarios to justify session, such as Shopping Cart.

Community
  • 1
  • 1
smwikipedia
  • 61,609
  • 92
  • 309
  • 482
3

JWTs in itself are just self-contained tokens and don't provide CSRF protection. The protocol used to deliver the JWT may (or should) provide means to prevent CSRF.

One area where JWTs are notably "better" than cookies is their cross-domain capability. You can read more on the comparison between tokens and cookies here: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/

JWTs can be self-contained so they have all the information that you need in a verifiable container that would enable you to use them without storing them (or a reference to them). But there may be more data that you need in a session so avoiding session storage in general is not a reason in itself for moving to JWTs.

SSL is required for sure to prevent token leakage and session hijacking.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115