Hacker News new | past | comments | ask | show | jobs | submit login

Nope. If there was, virtually every Rails app would be doomed.

There's a sort of intuitive insecurity quotient for things that goes something like C/W_s where C is complexity and W_s is the number of people in the world who would be screwed if something was totally broken.

Encrypted session cookies have, as a design, relatively modest C and very, very high W_s.

JWT has extraordinarily high C and, at present, modest W_s (relative to session cookies).

(They also have a bunch of design flaws that amplify their complexity).




Yep. I was brought on to a project where the JWT secret was a 6 letter band name. It's the hotness newness in the JS community and there's a lot of tutorials out there that show how easy it is to set up without explaining the risks/trade-offs.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: