Reputation: 884
Can JWT work with mobile apps and is JWT a session replacement?
Some questions about JWT(json web token):
- Can it work with mobile?
In my opinion, it works with mobile, but is it a good solution for authentication? If not, what other solutions can be used for authentication between mobile app and server?
- Is it a session's replacement?
In a general way, session will store some sensitive data, it can not do this in jwt(can not store sensitive data in jwt payload, because it is unsafe).
In my opinion, sensitive data can only be stored in other places, like redis. But think it like this, what diffence between of jwt and session? I am very confused now.
Upvotes: 3
Views: 2840
Answers (1)
Reputation: 10372
First of all you should not put any sensitive data to your JWT payload. JWT is a Access-token format to securely exchange claim information that is mainly used for authorization and is based on HMAC or a public/private key pair using RSA. JWT is also used for information exchange to securely transmit information.
Can it work with mobile? In my opinion, it works with mobile, but is it a good solution for authentication? If not, what other solutions can be used for authentication between mobile app and server?
You are right. It works with all types of mobile apps (native, html5, hybrid). An alternative would be OAuth. But keep in mind JWT only defines the Access-token that can be used for Authorization.
Is it a session's replacement?
I assume you mean sessionStorage/cookies? Then JWT it's not a replacement.
In a general way, session will store some sensitive data, it can not do this in jwt(can not store sensitive data in jwt payload, because it is unsafe).
Like I already wrote, you can encrypt your payload and exchange sensitive data through JWT.
In my opinion, sensitive data can only be stored in other places, like redis. But think it like this, what diffence between of jwt and session? I am very confused now.
They are two different things. Redis and sessionStorage/cookies are data structures, which are used to store (user/session related) data. JWT is a authentication mechanism.
Upvotes: 4
Related Questions
- How to use jti claim in a JWT
- If you can decode JWT, how are they secure?
- Single sign-on flow using JWT for cross domain authentication
- JWT vs cookies for token-based authentication
- What are the main differences between JWT and OAuth authentication?
- How to handle file downloads with JWT based authentication?
- Do I have to store tokens in cookies or localstorage or session?
- Shall JWT expires in mobile apps?
- Authentication and session handling using JWT in feathersjs
- Can JWT be a replacement for session based authentication for web application?