CodeIgniter Forums
Opinion : JSON web tokens - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12)
+--- Thread: Opinion : JSON web tokens (/showthread.php?tid=67520)



Opinion : JSON web tokens - albertleao - 03-04-2017

I just wanted to get the communitys opinion on jwt. I currently use Php sessions for authentication, and while it works, it is a pain to have to handle multiple authentication methods for the same app depending on the device that my user is on. 

While I am fully aware that jwt is meant to be "stateless", it makes me wonder of you can use jwt to replace the usual cookie based authentication, and have a key in the token that can be looked up in a database. This would make the jwt stateful but would give the added benefit of allowing the same authentication methods whether you're coming from the web, command line, or native application. 

An added benefit to this is that you're not bound to the Php session locking, though you would have to implement some logic to prevent your token data from being overwritten by concurrent requests. A
 little bit of Google researching has led me to find that jwt can be just as effective fighting Csrf if implemented correctly. As far as I know, Ruby on rails uses a similar method to jwt to store its sessions on the client, but I could be wrong. 

Is there a flaw in my logic here or could jwt securely replace Php sessions?


RE: Opinion : JSON web tokens - arma7x - 03-04-2017

Take a look at this, https://github.com/psr7-sessions/storageless


RE: Opinion : JSON web tokens - albertleao - 03-04-2017

Interesting. That might be a solution. I would still put an id in my jwt that eventually tied back to a database sessions table. I know that defeats the purpose of stateless, but God mighty would it simplify native app development.


RE: Opinion : JSON web tokens - Narf - 03-06-2017

Nope, not a good idea.

http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/


RE: Opinion : JSON web tokens - albertleao - 03-08-2017

(03-06-2017, 02:00 AM)Narf Wrote: Nope, not a good idea.

http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

Thank you, exactly the kind of feedback I was looking for. I have read at least 4-5 contradicting articles/blogs on the matter.


RE: Opinion : JSON web tokens - arma7x - 03-08-2017

(03-04-2017, 08:21 AM)albertleao Wrote: Interesting. That might be a solution. I would still put an id  in my jwt that eventually tied back to a database sessions table. I know that defeats the purpose of stateless, but God mighty would it simplify native app development.

Yes, you should add identifier for each jwt token. And identifier tie to ip address, device os, etc stored in database. So user can access/track their jwt record then delete the unrecognized jwt. If your secret key is leaked, posibble for attacker to generate jwt, but not the identifier. Identifier should be generate randomly secure. On native mobile app maybe you can expose jwt payload, so user can know their identifier too.