JSON Web Token (JWT) advantages/disadvantages over Cookies

Question

One advantage of a JWT over a cookie seems to be that it bypasses the origin restrictions on cookies.

Can someone help me understand any other advantages and importantly any other disadvantages to JWTs?

Answer 1

Advantages

1. JWT is a stateless authentication mechanism as the user state is never saved in the database. As JWTs are self-contained, all the necessary information is there, reducing the need of going back and forward to the database. With JWT we don't need to query database to authenticate the user for every api call.
2. Protects against CSRF (Cross Site Request Forgery) attacks.
3. JWT is compact. Because of its size, it can be sent through an URL, POST parameter, or inside an HTTP header.
4. You can authorize only the requests you wish to authorize. Cookies are sent for every single request.
5. You can send JWT to any domain. This is especially useful for single page applications that are consuming multiple services that are requiring authorization - so I can have a web app on the domain myapp.com that can make authorized client-side requests to myservice1.com and to myservice2.com. Cookies are bound to a single domain. A cookie created on the domain foo.com can't be read by the domain bar.com.

Disadvantages

1. Not easy to revoke a JWT as it is a stateless authentication mechanism. It makes difficult to implement feature like Sign out from all devices. This is easy to implement using session based authentication as we just need to delete the session from database.
2. Need to write some code to implement whereas cookies work out of the box.

Answer 2

As far as I use it, a JWT is just a token used to represent data that cannot be counterfeit by the client. You can pass it to the server through a http header or through a cookie. You just need to implement on your server side both ways to access the JWT before processing it. The cookie is practical for web browser but using a header is easier for plain http request like when using curl or native apps. JWT is protocol agnostic you can also use it in a web socket, put it in a json payload or anywhere else as long as it can be accessed and decoded on the receiving side.

Answer 3

a lot of web-related info can be found in a similar post here: Token Authentication vs. Cookies; I would like to call out some "architectural" differences:

1. JWTs are a standardized container format to encode user and client related information in a secure way using "claims" (whereas cookie contents and signing/encryption are not standardized)
2. JWTs are not restricted to present session-like information about the authenticated user itself; they can also be used to delegate access to clients that act on behalf of the user
3. JWTs allow for a more granular access model than cookies because JWTs can be limited in "scope" (what they allow the client to do) as well as time