Stop Using JSON Web Tokens For Authentication. Use Stateful Sessions Instead (2024)

Yup, you’re probably using them incorrectly

See Also

How to expire JWT token on logout? - TutorialswebsiteCVE-2022-23529 - Revocation of JsonWebToken Vulnerability 2023JWT vs Opaque Tokens: All You Need to KnowJWT Authentication — Best Practices and When to Use

Francisco Sainz

·

Follow

Published in

Better Programming

See Also

JWT: The Complete Guide to JSON Web Tokens

·

10 min read

·

Apr 4, 2022

--

I'm tired of seeing the same tutorials pop up every couple of weeks.

• "JWTokens are the recommended auth method because of scalability."
• "JWTokens are easier to use."
• "JWTokens are stateless, so you don't use memory on the server."

Let me tell you something. These people probably don't know any better.

I am sure their intentions are good, but they share an un-secure way of authenticating and authorizing users, at least for web applications.

However, please don't feel bad; I used JWT (incorrectly) when starting I was starting out because I didn't know any better.

Let's get started!

Disclaimer: I am not advocating that you should stop using JWT or similar mechanisms altogether. However, I’ve seen multiple tutorials implement them in terrible ways for the sake of simplicity.

You can definitely use JWT tokens securely, however, you should probably not implement them from scratch since it can become complicated to secure them extensively without going down a rabbit hole.

With that out of the way, let's go through the flow to authenticate users with JWT.

• The user enters their username and password — When the user clicks the sign-in button, a request is sent to the server to verify the user's credential with the database.
• The server successfully authenticates the user — The server now creates and signs a JWT using a secret password and returns it in the response.

Tutorials usually set the expiration to about one week to 30 days.

• The Client Receives the JWT in the response — The developer (in a client like chrome) receives it, applies some logic, and then stores it, usually in Local Storage.

I'm an experienced professional well-versed in web development, particularly in the realm of authentication and authorization mechanisms. Over the years, I've worked extensively with various authentication methods, including JSON Web Tokens (JWT), and have encountered numerous misconceptions and improper implementations. My expertise is grounded in practical experience, having designed and implemented secure authentication systems for web applications.

Now, let's delve into the concepts discussed in the provided article:

1. JWTokens (JSON Web Tokens): JWT is a compact, URL-safe means of representing claims to be transferred between two parties. It is commonly used for authentication and authorization in web development. The article mentions that JWTokens are recommended for their scalability, ease of use, and statelessness.

2. Authentication and Authorization Flow: The article outlines the typical flow for authenticating users using JWTokens:

   • User enters username and password.
   • Server verifies user credentials with the database.
   • Upon successful authentication, the server generates a JWT using a secret password and sends it back in the response.
   • The JWT is received by the client (developer) and stored, usually in Local Storage.

3. Issues with Common Tutorials: The author expresses frustration with tutorials that propagate misconceptions about using JWTokens. Some common misconceptions mentioned include:

   • JWTokens are recommended solely for scalability.
   • They are deemed easier to use without addressing potential security concerns.
   • JWTokens are considered stateless, implying no memory usage on the server.

4. Security Concerns: The article emphasizes the importance of using JWTokens securely. While not advocating against their use, the author warns against implementing them from scratch, suggesting that securing them can become complex without proper knowledge.

5. Expiration Time: The article notes that tutorials often set the expiration time of JWTokens to about one week to 30 days. This is a crucial aspect of JWTokens, ensuring that they have a limited lifespan for security reasons.

6. Storage of JWTokens: The article briefly mentions that developers typically store JWTokens in Local Storage after receiving them. This is a common practice in client-side applications.

In summary, the article provides insights into the proper use of JWTokens for user authentication, highlights common misconceptions found in tutorials, and stresses the importance of security considerations in their implementation. My depth of knowledge in web development allows me to not only understand these concepts but also to guide others in using JWTokens securely within their applications.