Stop Using JSON Web Tokens for Authentication. Use Stateful Sessions Instead

giaour · 2022-04-08T15:28:02

Most of this article seems to be against having browser JavaScript store tokens and inject Authorization headers, which you are free to avoid if you don't want to use them. JWT is just a token format, you can set it as an HTTPS-only cookie and have your server read it from there. Stateful vs. stateless is orthogonal to how the token gets handled by the client and sent back to the server.

dpweb · 2022-04-08T17:08:50

My toy projects I include the IP address in the JWT payload, so JWT is only good for that IP. I don't always see that in examples. Not sure any downsides of that (if client is rotating IPs or VPN I may be blocking them anyway). But seems consistent with cookie concept that a login is only good on that device.

I think its a debate. I like to keep the db clean of sessions but easy enough to keep in server memory if I down the server I don't mind making people login again.

hasperdi · 2022-04-08T21:53:18

It's a bad idea... Users on mobile or use cellular connections get their IPs rotated often. There's also CGNAT (Carrier Grade NAT), users share a pool of IPs.

resoluteteeth · 2022-04-09T04:24:14

It's not realistic in 2022 to assume that ip addresses won't change during sessions. That's why virtually no sites do this

mc4ndr3 · 2022-04-08T15:03:14

False. OIDC providers expose an API endpoint for early token revocation. Otherwise it would be impossible for users to LOGOUT.

The insertion of tons of junk metadata in a JWT's claims represents a problem of usage style, not an inherent problem of JWT or OIDC. As a workaround for good data design, the user can be presented with a re-authentication form, where the new token shall replace the old data.

Spivak · 2022-04-08T15:11:42

Yep, and if you’re like “if you have to store a revocation/update list then isn’t that just a stateful session again?” Yes but now you only have to store the changed tokens instead of every token — good trick if you’re having trouble scaling Redis.

foxyv · 2022-04-08T15:10:30

A logout may just consist of deleting the token in the browser.

jasfi · 2022-04-08T15:16:11

In Nexus I store tokens in the database. Logging out deletes the record.

enkrs · 2022-04-08T15:24:22

Isn’t that just sessions but with extra steps?

jasfi · 2022-04-08T17:40:22

Well the JWT has encrypted info that is verified on each call, so there is extra security.

chris37879 · 2022-04-09T04:17:54

yeah, JWT's are a nice standard way of doing that, but it's functionally not really different than the HTTPS + Session + Nonce pattern that's been in use for about 10 years now, and, provided you pick a secure function to make the hash for the nonce, the nonce may be more secure since it rotates with each payload and the JWT's encryption lasts for its lifetime.

jasfi · 2022-04-09T06:22:49

The JWTs I use expire after a given time and are renewed. I agree, there's not much difference. Its more like a standard way of generating tokens.

cybrexalpha · 2022-04-08T19:55:37

Every JWT auth system I've ever seen uses expiries on the order of minutes, and using a single-use refresh token to allow the client application to invisibly request an updated token.