All geek questions in one place

Why do we need JWT when we have customer sessions?

I understand that JWTs are stateless tokens that store signed information about the client’s application and are transmitted to the server through the authorization HTTP header.

My question is: why do we need JWT when we already have client sessions ( https://github.com/mozilla/node-client-sessions )? Client sessions are conceptually the same. These are cookies that contain signed information, which when verified means that the cookie was not released. In addition, client sessions are stored in a cookie and transmitted through the HTTP cookie header. It is the same thing using only different words. I'm wrong?

So why does the JWT exist? I could understand that perhaps the point was to standardize the operation of authentication tokens, but we got along fine without a standard session identifier (each implementation did everything in its own way). Also, why the JWT does not use cookies as a means of transmission. With cookies, you do not need to explicitly send the correct header for each request (simplifying Ajax requests).

Did I miss something?

+6
source share
1 answer

JWT marks are signed with formatted JSON documents that claim the claims of the user (or any principal). If you trust the issuer of the token, you trust the requirements in the token and can make authorization decisions based on this.

JWT icons are often used to call external web APIs. These APIs do not necessarily live in the same domain as your website, and therefore cannot use the same cookies as your website. JWT badges are used in REST services because they do not need session information stored on the server. The use of JWT tokens is also not unacceptable for CSRF attacks.

+6
source

Source: https://habr.com/ru/post/986396/

More articles:


All Articles