JSON Web Tokens

What are JSON Web Tokens? Can it really be used to replace traditional session cookies? This article is a note made while studying JWT.

What is JSON Web Tokens

JSON Web Token is abbreviated as JWT, pronounced as jot, and is an IETF standard [RFC 7519], which defines the Simple and safe way to exchange information. The information is packaged in a JSON Object, that is how it gets the name. This information can be verified as trusted content because it is digitally signed. The method can be single ciphertext (HMAC) or public key private key system (RSA).

How to use JSON Web Tokens

After the user logs in with the server, the server can return a JSON Web Token, which can be stored in the browser’s local storage or cookie.

When users want to access some information that requires authentication again, they need to send this JWT back to the server, usually in the form of an Authorization header, for example:

Authorization: Bearer <token>

This method is lighter than the session cookie method for the server, because the server does not need to keep relevant session information(stateless), only the information in the JWT to confirm whether the user can access the relevant resources.

Authentication flow

The Benefit of Using JSON Web Tokens

  1. Easily achieve horizontal scaling
  2. Easier to maintain (no need for long term storage)
  3. Cross domain RESTful API (without CORS cookies)
  4. Can control the expiration of the tokens
  5. Single token contains all authencation information

Traditional Sessions

Session flow

After the user is authenticated, the server returns a session ID, which can then be used to inquire user information.

Problems

  1. Need a shared database to store session information
  2. Cannot easily logout user

Potential Problems of JSON Web Token

  1. XSS, CSRF, Replay attack, MITM
  2. JWT uses digital signatures and encryption to prevent tampering or stealing of the data inside, but when JWT is stored in local storage or cookies, JavaScript in the same domain can also access these JWTs, so there is a potential risk for XSS or CSRF attack.
  3. The size of JWT is much larger than a simple session ID
  4. It becomes very important to protect the ciphertext or private key used for the signature.

How to Deal with Replay Attacks

  1. Use short expiration time
  2. Client side refreshs token frequently
  3. Server side maintains a list to block malicious clients

The Benefit of Storing JWT or Session ID in Cookies

Browsers automatically send cookie in headers so verification does not require JavaScript.

Conclusion

Don’t use JWT for persistent, long-lived data.

References

  1. https://ponyfoo.com/articles/json-web-tokens-vs-session-cookies
  2. http://by.jtl.xyz/2016/06/the-unspoken-vulnerability-of-jwts.html
  3. https://stackoverflow.com/questions/37582444/jwt-vs-cookies-for-token-based-authentication
  4. https://dzone.com/articles/jwtjson-web-tokens-are-better-than-session-cookies
  5. http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
  6. https://jwt.io/