i working on application scalability big concern. in past i've used session-based authentication, decided go stateless server time around in order facilitate horizontal scaling.
i not security expert, in researching jwts, began seem these insecure. whole reason hash passwords if our database compromised, attacker cannot impersonate user. jwt, store secret on server. if attacker gains access secret, can't impersonate user want? doesn't mean using jwts have same level of security storing plain text passwords?
i have read people use reddis cross reference jwts, server isn't stateless, , fail see benefit of using jwts @ all.
could clarify issue me?
session based authentication systems, @ least worth using, store secret on server. jwt, secret used sign data stored in cookie session based authentication uses. no different jwt.
all of totally unrelated password storage, password used when don't have cookie/jwt.
edit:
not sure using redis in conjunction jwt... being stored in redis, token? seems pointless, server needs know secret decode token.
here of benefits using jwt:
- it's stateless, you've mentioned
- it's not subject csrf/xsrf attacks. these attacks work tricking browser sending cookie server didn't generate cookie. can't happen w/a jwt b/c browser doesn't send jwt automatically w/cookies.
- jwt's standardized. there defined way generate them, means jwt's more portable , process has been vetted security community.
Comments
Post a Comment