Hacker News new | comments | show | ask | jobs | submit login

Would't we be able to avoid this if we did away with the secure cookie and replaced it with a jwt (jason web token)? This way, there is no state to maintain in the database, and authorization can expire?



there isn't much difference between a secure cookie and a JWT. Well, except that JWT is just signed, not encrypted, so your cookie contents are visible. Also, JWT has issues, https://auth0.com/blog/2015/03/31/critical-vulnerabilities-i.... The main thing is that you have added nothing by using JWT, cause you still can't expire a specific token without storing some kind of "token status" in the database.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: