5

I know that JWT could be used to replace the cookie/session based authentication, and we used that in the previous project, and I understand that using JWT has a lot of benefit such as stateless, CDN support, avoid csrf attack, better to support cluster ENV etc.

However, I'm very confused on whether JWT could totally replace Session? If we want to fully leverage JWT to keep all the session state, then it means that anytime the server backend want to add any state into session, instead of doing that, the serverside have to re-generate a new token with that info and client side have to update the newly generated token, I doubt whether it's the right way or not?

And if we only leverage JWT to support the authentication and keep only user credential info, although the authentication service could be de-coupled as the standalone micro service, the session would still be necessary for the business service backend if we want to keep some session state, right? While reading spring document, it recommend to leverage Redis to save session state to support cluster env.

Overall, I'm very confused on whether JWT could be used to fully replace session or not?

Thanks a lot.

mailme365
  • 511
  • 2
  • 9
  • 20

1 Answers1

6

(This is not an answer yet. Just some info I have collected so far. I am having exactly the same question. I will change it to an answer when I thoroughly solve this question.)

So far, I think JWT can be used to replace session+cookie as far as authentication is concerned. But session is not just used for authentication, it is actually more meant for a user-specific data storage. I am not sure if JWT can replace session for that purpose given JWT's size limit (described below). And IMHO, authentication just happened to be one of the use cases of session since such info must be user-specific.

If you use JWT in place of server side session, you probably will store the JWT as HTTP header. And more likely, as a Cookie (see here). But there's some size limit on the header and 4K for cookie. If you go with server side session, I don't think such limit exists.

And this article list some caveats of JWT.

ADD 1

And below is a similar thread questioning whether JWT can totally replace session storage. I just added some more answer there. Please do take a look.

Do i need session store using JSON Web Token tokens ? Why not just using cookies?

ADD 2

If we store JWT as cookie as my first link above, isn't it a re-implementation of signed-cookie?

The answer is here: Shall we store JWT as a cookie?

And another question of mine: Token based authentication and scalability? An illusion?

Community
  • 1
  • 1
smwikipedia
  • 61,609
  • 92
  • 309
  • 482
  • @mailme365 I updated my reply. It may look more like an answer now. – smwikipedia Jan 07 '16 at 02:26
  • 1
    Thank you so much for your detailed answer, JWT could not fully replace session, so a lot of the merit of JWT(like CDN, stateless etc) would only work for Authentication server, not the business server, unless we use Redis to save session data as Spring recommended. That means if we combine the authentication function and business function into the same tomcat application, we would still use Session, I do not see apparent benefit by using JWT in this case, the only benefit might be avoiding csrf attack. – mailme365 Jan 10 '16 at 14:43
  • @mailme365 Thanks for the summary. I think so too. – smwikipedia Jan 10 '16 at 15:56