
Stop using JWT for sessions - setra
http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
======
CyanLite3
Terrible, Terrible advice.

Here's an actual quote from the article:

"...unless you are operating at the size of Reddit, you will not need
'stateless sessions'." So for the rest of 99% of the technology world, you
don't need stateless session because TFA says so.

~~~
kristoff_it
Why would the advice be terrible?

There are some "hard" trade-offs in using stateless sessions and the article
argues that you are better off storing sessions on the server, as long as it
doesn't start costing you more than dealing with such trade-offs.

------
factcheckers
This line is just incorrect:

> The only correct CSRF mitigation is a CSRF token

Custom headers are better, imho, if you have an ajax-driven app. There is 0
chance of csrf ever happening if you require the session token be passed in a
custom header and hold the session value in localstorage.

Source: I am an infosec professional.

