Option 1: Eliminate database lookup (step 4) Make the extra database lookup much faster so that the additional hop won’t matter.Somehow eliminate database lookup for users completely (i.e.So every single API call leads to at least two slow DB calls which can slow down the overall response time. The problem is that step four is slow and needs to be repeated for every single action the user does.
The main problem with the traditional approach And finally, it tells the front end that the tweet was sent.If the user exists and is allowed to do that action (i.e send a tweet), the server allows them to do the action.When the server receives the session token, it won’t know who the user is, so it sends that to the database to retrieve (4a) the actual user’s info (like userId) from that token.But the token is just a random string, so how can the server know who you are just from the session token? Then along with your tweet, your app will also send the session token (through a cookie or a header) so that the server can identify who you are. Next, say you wrote and submitted a tweet.This token is then stored in the cookie or in the local storage of the app.The server then sends you a session token to the front-end mobile or web application.(Note: A session token is a long unidentifiable string-aka opaque string-that looks like this: fsaf12312dfsdf364351312srw12312312dasd1et3423r) The server then creates a session token, stores that token along with the user’s info in some database.
You log in, write a tweet, like a tweet, then retweet someone else’s tweet. Also, I’ve listed all the other articles in the resources section down below that go into the nitty-gritty of JWT.īefore we understand why it’s dangerous, let’s first understand how it works by taking an example use case. In any case, in this blog post, I’d like to focus on the potential dangers of using JWT and also talk about a battle-tested solution that’s been around for a decade.įor further understanding, when I talk about JWT, I mean “stateless JWT,” which is the primary reason for the popularity of JWTs and the biggest reason to use a JWT in the first place. If you think about it, these constant debates themselves should be a red flag because you should never see such debates, especially in the security realm. But, it’s not all bad because there are regular long and passionate debates about JWT on Hacker News (see here, her e and, here), so there is hope. So I think this is a case where the marketing has beaten engineers and security experts. “JSON” (generally well-liked), “Web”(for web), and “Token”(implies stateless) make people think that it’s perfect for their web authentication job. Or maybe it’s the perfect, buzzworthy, and friendly name that’s leading to its popularity. They also never compare it with the existing battle-tested approaches deep enough to really weigh the pros and cons.
#SIGN OUT OF OPEN LINKEDIN SESSIONS HOW TO#
More specifically, they just show how to use it but don’t talk about revocations and additional complexities that JWT adds in a real production environment. If you look at many of these videos and articles, they all just talk about the perceived benefits of JWT and ignore the deficiency. Yet, these warnings are overshadowed by marketers, YouTubers, bloggers, course creators, and others who knowingly or unknowingly promote it. There are many in-depth articles and videos from SMEs of companies like Okta talking about the potential dangers and inefficiencies of using JWT tokens. Source: “JWT should not be default for your sessions” (see reference below for links). Source: “Why JWTs Are Bad for Authentication”- Randall Degges, Head of Developer Advocacy, Okta. Source: “Stop using JWT for sessions” (see reference below for links). To use a metaphor, if you are a hammer, everything looks like a nail. The problem may appear similar, but utilizing unique technologies to solve general issues could create unanticipated consequences. Sometimes, people take technologies that are intended to solve a narrow problem and start applying them broadly.
0 kommentar(er)
