Welcome Guest, Not a member yet? Register   Sign In
Opinion : JSON web tokens
#1

(This post was last modified: 03-04-2017, 08:22 AM by albertleao.)

I just wanted to get the communitys opinion on jwt. I currently use Php sessions for authentication, and while it works, it is a pain to have to handle multiple authentication methods for the same app depending on the device that my user is on. 

While I am fully aware that jwt is meant to be "stateless", it makes me wonder of you can use jwt to replace the usual cookie based authentication, and have a key in the token that can be looked up in a database. This would make the jwt stateful but would give the added benefit of allowing the same authentication methods whether you're coming from the web, command line, or native application. 

An added benefit to this is that you're not bound to the Php session locking, though you would have to implement some logic to prevent your token data from being overwritten by concurrent requests. A
 little bit of Google researching has led me to find that jwt can be just as effective fighting Csrf if implemented correctly. As far as I know, Ruby on rails uses a similar method to jwt to store its sessions on the client, but I could be wrong. 

Is there a flaw in my logic here or could jwt securely replace Php sessions?
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
#2

Take a look at this, https://github.com/psr7-sessions/storageless
Keep calm.
Reply
#3

Interesting. That might be a solution. I would still put an id in my jwt that eventually tied back to a database sessions table. I know that defeats the purpose of stateless, but God mighty would it simplify native app development.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
#4

Nope, not a good idea.

http://cryto.net/~joepie91/blog/2016/06/...-sessions/
Reply
#5

(03-06-2017, 02:00 AM)Narf Wrote: Nope, not a good idea.

http://cryto.net/~joepie91/blog/2016/06/...-sessions/

Thank you, exactly the kind of feedback I was looking for. I have read at least 4-5 contradicting articles/blogs on the matter.
Codeigniter is simply one of the tools you need to learn to be a successful developer. Always add more tools to your coding arsenal!
Reply
#6

(This post was last modified: 03-08-2017, 02:43 AM by arma7x.)

(03-04-2017, 08:21 AM)albertleao Wrote: Interesting. That might be a solution. I would still put an id  in my jwt that eventually tied back to a database sessions table. I know that defeats the purpose of stateless, but God mighty would it simplify native app development.

Yes, you should add identifier for each jwt token. And identifier tie to ip address, device os, etc stored in database. So user can access/track their jwt record then delete the unrecognized jwt. If your secret key is leaked, posibble for attacker to generate jwt, but not the identifier. Identifier should be generate randomly secure. On native mobile app maybe you can expose jwt payload, so user can know their identifier too.
Keep calm.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB