Reputation: 552
JWT Auth vs Session Auth for API
I'm developing an API that requires some authenticating functions.
I usually use the session method: User posts to login API and I return a session ID. Then, for all the others API calls, the user needs to attach that session ID.
My supervisor suggests that I use JWT for this kind of job. But I can't seem to find any remarkable pros of using JWT over the above session method. There's even a huge con in case I want to maintain some kind of "session data" when using JWT.
Do you have any idea about the pros of using JWT in this case? Should I migrate the old code to JWT?
Upvotes: 1
Views: 2465
Answers (1)
Reputation: 4128
I eventually came upon this article which kind of covers the whole topic, and thus answers the question :
http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
Stateless JWT tokens cannot be invalidated or updated, and will introduce either size issues or security issues depending on where you store them. Stateful JWT tokens are functionally the same as session cookies, but without the battle-tested and well-reviewed implementations or client support.
Unless you work on a Reddit-scale application, there's no reason to be using JWT tokens as a session mechanism. Just use sessions.
Upvotes: 1
Related Questions
- How to decode jwt token in javascript without using a library?
- If you can decode JWT, how are they secure?
- How do I expire a PHP session after 30 minutes?
- JWT vs cookies for token-based authentication
- JWT (JSON Web Token) automatic prolongation of expiration
- Authentication: JWT usage vs session
- Session lock causes ASP.Net websites to be slow
- JWT authentication for ASP.NET Web API