Stop using JSON Web Tokens. Use Cookies & Server Sessions instead

preview_player
Показать описание
JSON Web Tokens are a great stateless way to authenticate your users and remove the load from your servers and APIs, but JWT is not always secure and can take more than what they can offer us as developers! If you have been using JWTs to implement your authentication architecture, you need to watch the most general practices and security pitfalls you should avoid!

⭐ Timestamps ⭐
00:00 Intro
00:45 JWT the Right Way!
03:27 How JWT and Auth work?
04:44 Example Project 1: LocalStorage JWT
10:34 Stealing JWT From LocalStorage
12:50 Quick Fix for LocalStorage JWT tokens
13:21 How to implement HTTP-Only cookies w/ JWT
16:17 Login in with HTTP-Only cookies
16:53 Say goodbye to XSS
18:02 Using Stateful Server Sessions
21:26 Invalidating JWT Tokens (Before Expiration)

💻 Source Code:

🧭 Turn Design into React Code | From prototype to Full website in no time

🧭 Watch Tutorial on Designing the website on Figma

🧭 Watch Create a Modern React Login/Register Form with smooth Animations

🧭 Debug React Apps Like a Pro | Master Debugging from Zero to Hero with Chrome DevTools

🧭 Master React Like Pro w/ Redux, Typescript, and GraphQL | Beginner to Advanced in React

🧭 Learn Redux For Beginners | React Redux from Zero To Hero to build a real-world app

🧭 Build Login/Register API Server w/ Authentication | JWT Express AUTH using Passport.JS and Sequelize

🧭 Introduction to GraphQL with Apollo and React

Made with 💗 by Coderone
  1. CoderOne
  2. jwt
  3. jsonwebtoken
  4. json web token
  5. JSON web token
  6. JSON Web Token
Рекомендации по теме
Stop using JSON 0:23:33

Stop using JSON Web Tokens. Use Cookies & Server Sessions instead

JSON Web Tokens 0:52:51

JSON Web Tokens Suck - Randall Degges (DevNet Create 2018)

JSON Web tokens 0:14:14

JSON Web tokens vs sessions for authentication | should you use JWTs as session tokens?

Why I haven't 0:07:14

Why I haven't been using JWT tokens for Authentication

Why is JWT 0:05:14

Why is JWT popular?

Does Storing JWT's 0:05:34

Does Storing JWT's In HTTP Only Cookies Stop XSS Attacks

JSON Web Token 0:06:30

JSON Web Token Hacking

JSON Web Tokens 0:53:14

JSON Web Tokens Suck

User Authentication in 0:51:41

User Authentication in Express with JSON WEB TOKENS

Tensei: The Ultimate 0:18:22

Tensei: The Ultimate guide to JWT client side authentication (Stop Using Local Storage !!!)

Session vs Token 0:02:18

Session vs Token Authentication in 100 Seconds

Don’t Use JWT 0:01:00

Don’t Use JWT for Login Sessions

Using JSON Web 0:20:28

Using JSON Web Tokens (JWT) for REST authentication

Cracking JSON Web 0:14:34

Cracking JSON Web Tokens

How Does JWT 0:11:27

How Does JWT Authentication Work? (JSON Web Token) | Tokens vs Sessions

JWT Hacking (JSON 0:35:24

JWT Hacking (JSON Web Token)

JWT best practices 0:04:50

JWT best practices for max security

JWT token vs 0:10:25

JWT token vs Server Tokens

The Hacker's Guide 0:48:25

The Hacker's Guide to JWT Security by Patrycja Wegrzynowicz

Understanding JSON Web 0:08:31

Understanding JSON Web Tokens | JWT Explanation from Tech with Tim

How to use 0:01:00

How to use a JWT Token to get data from an API with Javascript

🛡️ Securing Flask 0:21:12

🛡️ Securing Flask Web Applications with JWT and CSRF tokens - Solomon Esenyi

Authentication on the 0:37:05

Authentication on the Web (Sessions, Cookies, JWT, localStorage, and more)

JWTs are not 0:00:40

JWTs are not secure! #coding #javascript #jwt #authentication

Комментарии
Автор

This argument concerning the dangers of jwt was clearly crafted by an inexperienced software developer and is complete bunk. It is true that jwt has a few drawbacks, but the recommendation to utilize an HTTP session cookie and to keep the session alive in the server creates a much larger number of problems with regard to scalability. Do the research on your own and don't pay attention to what this other person says.

ArifRachim
Автор

Seems like he doesn't really understand JWT at all. The title says "Stop using JSON Web Tokens" but in reality, he still uses it lol (he just sends it in a different way).

justsample
Автор

Your approach is better but dev should always to make sure that the length of jwt token is fit enough to be stored as cookie because cookie has limited chars length and not all browser has same cookie space.

cloudndri
Автор

The biggest problem I have with JWTs is that you can't instantly invalidate them. When your account was hacked you want to change your password and invalidate all existing login session immediately. You don't want a hacker to have access to your account for another 30 minutes because their JWT hasn't expired yet.

codinginflow
Автор

You are implying that the drawbacks you mention are the direct cause of using JWT. Those are entirely related to its implementation though. Authentication and authorization done inconsiderate, will be an issue, doesn't matter which technology you use.


Seems like you base your knowledge on a specific way it was implemented and you used in the past. Why else would you say, that a JWT shouldn't be stored in a database?

Please do your research and don't spread wrong information. You have many followers that might use your channel as reference...

Seroba
Автор

You didn't mitigate the risk of CSRF as well... So the problem is actually not using which authentication mechanism, but how you implement them...

ganhongjian
Автор

JWTs aren’t bad. The vulnerability is XSS here. Once that door is open, the site isn’t yours anymore. An xss can do anything your front end can do.

DanielAWhite
Автор

Cookie-session is session management, the server needs to maintain a large number of registration records of the client ID to control the client, this is a huge problem, jwt is more like keys and locks, the server does not need to record who has the key, who has the key to unlock, only so simple and reliable, the only security hazard is how to make the client keep the key properly.

butterfly
Автор

Nobody nowadays create stateful applications that stores sessions, It is against good practices of developing APIs

yahyasalimi
Автор

Thank you for the good video. I saw in the video that you give the option with credential as true(17:40), doesn't that part create a CSRF security threat?

seongamkim
Автор

Guys I need help. Signing a jwt will prove to the server that it is legit but should I also encrypt it even if it doesn't have sensitive info? Does it provide extra protection?

nullpointer
Автор

The intent of the message you are trying to get across is great, so I don't want to be too critical, but I have a couple of problems with the video:

'You can always assume you have an XSS' - why, if you use a good UI framework (and there are many of them that are very robust) then this is not a good assumption. Yes, someone who is inexperienced could definitely introduce XSS, but that reinforces the need to use a good UI framework. Either way, understanding XSS, and having a strategy to deal with it is the key.

Saying ' storing a JWT in local session is bad because someone can come into your page and steal the JWT through a XSS vulnerability' is like saying 'using a front door key to your house is bad because if you leave your front door open someone can come in a steal your front door key'. If you leave your front door open then probably someone is not interested in your key, they are interested in your house (that's the reason they wanted your key in the first place).

More importantly, a XSS vulnerability can potentially allow saving malicious code to the back end, which could affect many more users. If you have an XSS vulnerability then that is a way bigger issue than storing your JWT in local storage.

paulwojcik
Автор

Thanks for all the comments below, for you I didn't waste my time

Weagle
Автор

Really dislike seeing a video title shows “stop doing what …” dig a bit more then publish

jingzheshan
Автор

How about if the request is cross domain?

albinocordova
Автор

How does adding the JWT to the HTTP-only cookie solve the issue if the request comes from the same origin in the way you demonstrated this XSS? Both localStorage and cookies are only accessible by the domain that created/used them, so if the XSS is succesful both approaches would expose the JWT. What am I missing?

cn
Автор

still not safe at all against CSRF attack then csrf token should be implemented

khoroshoigra
Автор

how the frontend and the server comunicate in production the cookie only use for the same domain can't used between diffrent domains i did the same what you did but it's not working, any suggestion ?

mohamedghaly
Автор

i can tell u it s better to JS in backend at all not just jwt

kamalkamals
Автор

How you are able to see that you store anything with http only... as long as i set this flag true- i cant access them withing the browser =((( the fuuuuck

alexanderdiakonov