Don’t Use JWT for Login Sessions

The real advantage of JWTs is that the server doing the authentication doesn't need to be the same server who does the validation. This is really good for SSO applications.

And it's possible to invalidate a JWT if you'te willing to give up the idea of statelessness

MechMK

Well..
From stateless we returned back to stateful... indirectly but yes🤣

depression_plusplus

And not matter which of those you will use, every junior pentester is happy about you making it so easy to intrude ^^

Takio

What if I just use NextJs as the frontend and the backend/ API in another language on another server where you don't have access to the database. Why shouldn't I use jwt

ayukalvieri

People say session is only stored on one instance of a server, which makes it troublesome to always authenticate.

kishDoesThings

If you already have redis, why not just have a persistent blocklist each entry with a ttl of the jwt's expiration 😅 Also, refresh jwt has nothing to do with logout behavior.

mikeyangyang

Hey express-session doesn't work we'll with redis anymore, can you show us a basic configuration where it works?

deathdefier

Buildling refresh tokens isn't elaborate and basically the same thing as just making a jwt. But you'd be checking a cache or db for the refresh token anyway. But also don't think it's an argument for session over jwt.

terrypark

Don't you need to query a central DB (or cluster) when your platform gets to the point where you need to scale to multiple server instances from the bastion by deploying copies of itself behind a load balancer?

sidthetech_USA

how to propperly login by using firebase auth?

alitonoliveira

Why have JWT of you want to be stateful… Also, you can use openid in which contains a client and server side packages that will help you accomplish this

IamPali

So what should i use for authentication? Tell me the name of the technology I should use for safe authentication. I'm losing a lot of time in the educational series. I want to do something now, but something is always missing. I don't want to use ready backend services (Supabase, firebase). Is there a technology that you can tell me "Learn this technology and you will be able to build a fully secure authentication system"? Please tell me because I don't want to waste time anymore. And one of the things I fear the most is the leakage of users' information from the system I built. That's means i need a safe authentication system.

Prag

So what happens when your redis database crashes or restarts?

samuelvalentine

Wait can’t you just delete the token when password is changed! Yes needs db storage but it’s not much of a cost if you ask me!

mdahsanraza

Implementing jwt isn't that hard or time consuming. If you think it will take time, then idk what kinda product you are building

sandzz

It's not difficult at all... I implemented such mechanism recently and it was actually fun to learn about jwt and how it can be implemented securely

yagami-light

want a video about JWT handling with redis

dileepa-mnto

In Django it's very easy usung simple jwt it's all come in one pkg

mukithasan

So basically if you had to choose between Jwt and Cookies/session you will pick session because of the security it offers and because the session can be invalidated ?

pqyh

i made my own jwt session mangement in django

JatinderSingh-nrdn