94 likes
·
14.3K reads
11 comments
Awesome article man!!! Those diagrams are cool 👀
Thank you! I made them using Excalidraw
Dhruva Srinivas cool!!!
pog article with pog diagrams
Thanks man, means a lot!
Session stores are not public and are stored remotely on a server, hence rendering the session data to be safe. In the case of JWTs, the tokens are relayed on every request and can be intercepted. Sessions are, in most cases, safer than using JWTs
In what way sessions safer? Cookies just like JWT no more than a header attached to the HTTP response/request passed between a client and a server. If token can be intercepted, the session ID can be intercepted the same way. Once it is intercepted, an attacker can use it to have an authenticated communication on your behalf.
Having the session on the server side does not make it more secure. An attacker is not after the data in your session info, they are after your session ID/token so that they can communicate to the server "as you".
No sane person will put sensitive data inside JWT. They are meant to be open to public, although they allow for encryption if required.
When dealing with JWTs in SPA, often the solution is to transmit them in the httpOnly and secure cookie, which brings them in par with sessions more or less. Also, as soon as you add extra checks on the backend, like, blacklisting (like you mentioned) you essentially having implemented sessions :) except instead of an opaque token that represents session ID, you are transmitting a JWT that is open but has say a userId only in it.
Hey, thanks for reading! These are some great points you have mentioned here! It is true that when you store JWTs in cookies, it is as secure as a session ID in a cookie because cookies are essentially HTTP headers. There is a substantial difference in security only when you store JWTs in other locations such as localStorage. But implementing safe JWT auth in a way that could be as secure as using sessions would involve maintaining a blocklist on the server, which then makes using sessions easier IMO =)
Thanks again for this comment, I will make the required edits in the post!
Nice write up summarizing the two options.
Thanks for reading!
Great article, just one point.
Server-side sessions were the traditional way to implement auth
I wouldn't call session authentication a traditional way. Since it's still one of the way to do authentication on SSR.
🙂
Nice bro 👌👌