Since most people seem to caution against storing JWT tokens in the localStorage and recommend keeping them in the HttpOnly cookies, in this case I don't really see the advantage of using JWT auth. Why not just use Cookie auth to begin with instead of messing around with access_tokens and refresh_tokens?
Stateless authentication can be achieved using signed cookies similar to JWT token.
Does the JWT's two-token-system (short-lived access_token and long-lived refresh_token) offer better security?
I understand that before sending a new access_token, the server validates the refresh_token from the database (to check if the token has been blacklisted or not, etc.), so that makes JWT auth partially stateless. But this can be achieved with signed cookies as well, for example we can validate the session from the database every 15 minutes something like this: # python current_time = time.time() # unix time in seconds cookie_issued_at = # cookie's issue time in seconds if (current_time - cookie_issued_at) >= 900: # validate session from database # issue new cookie if session still valid
To me, it seems this approach offers the same performance and security benefits of JWTs stored in cookies.
My question is: What are the drawbacks of this approach compared to JWT sent over cookies and why isn't this approach more popular?
http://dlvr.it/S23zRl
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment