i'm looking jwt alternative traditional sessions cookies fail see how differ fundamentally signed cookies example express offering through middleware cookie-parser.
in both of them, last part signature of payload guarantees payload hasn't been tampered with.
signed cookie:
user=tobi.cp7awaxdfakirfh49dqzkjx7skzzsopq7/acbbrvwli3 equivalent jwt:
eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9.eyj1c2vyijoivg9iasj9.kctlr_igb4h5cqbededshm2ivsqijpqkwqn4pzaxb2g besides facts that:
(1) jwt doesn't come origin restrictions ,
(2) cookie content human-readable, whereas jwt content (header + payload) base64 encoded
is there gives jwt clear advantage on signed cookies?
beware of mixing concerns: cookies mechanism storing data on client, aren't inherently authentication mechanism - use them way :)
the primary benefit of jwts declared structure (json, common fields) , declared mechanism signing them. specification, there nothing special it. nice have common way of persisting identity assertions.
you still need store jwt in secure fashion, , cookies httponly; secure best option. prevents cookie being read javascript environment, prevents xss attacks.
i've written blog posts jwts, contain more information answer question:
build secure user interfaces using json web tokens (jwts)
token based authentication single page apps (spas)
disclaimer: work @ stormpath. sponsor open-source jwt libraries node.js , java, can found here:
if using angularjs, implement jwt best practices out of box our stormpath angular sdk
Comments
Post a Comment