Contents
How secure are JWTs?
The general opinion is that they’re good for being used as ID Tokens or Access Tokens and that they’re secure – as the tokens are usually signed or even encrypted. A JSON Web Token (JWT, pronounced “jot”) is a compact and url-safe way of passing a JSON message between two parties. It’s a standard, defined in RFC 7519.
Should you store JWT in database?
A JWT needs to be stored in a safe place inside the user’s browser. If you store it inside localStorage, it’s accessible by any script inside your page. This is as bad as it sounds; an XSS attack could give an external attacker access to the token.
Should I store JWT in Redis?
TLDR: If you want the capability to revoke the token at some point, yes, store it in something fast like Redis. One of the well documented drawbacks of using JWT is that there’s no simple way to revoke a token if for example a user needs to be logged out or the token has been compromised.
You need to either track which cookies are valid server-side, or you need to include the expiry in the cookie and prevent it from being modified via some form of cryptographic integrity check, such as a digital signature or Message Authentication Code (MAC). This is, incidentally, how JWTs work. A JWT has three parts.
Are there any advantages to validating JWT’s on every request?
Advantage: the server always knows which tokens are valid; it can store expiry information where the user can’t even see (much less edit) it and it can prematurely expire tokens (if the user logs out or requests to end other sessions). Advantage: no long-term secret that an attacker could steal to be able to forge valid tokens.
Is it good to use JWTs with opaque tokens?
Just having a long opaque token (high entropy) is good enough. Hence, the signing of JWTs doesn’t add any extra security in comparison to opaque tokens, it simply matches the security level.
Are You using JWTs for user sessions in the correct way?
However, I do offer my opinion on the best solution for session management (spoiler: it has the advantages of JWTs without any of its disadvantages!) The flow of the content is as follows: A cursory note on session management. User sessions involve managing tokens across your app’s backend and frontend.