Reputation: 7719
Implementing Authentication using JSessionId
Is it secure to authenticate a user using the JSessionId that the client passes to the server ?
Assume that in a Spring app, we store the jsession id for a user that provided correct credentials while logging in, in a database and we authenticate each subsequent request based on that jsession id.
Does this method provide the same security level of using Java Web Tokens ?
Upvotes: 0
Views: 853
Answers (1)
Reputation: 26
JWT tokens are cryptographically signed so they are much more difficult to forge compared to session IDs.
Session IDs are generated using a secure random number generator which may be predicable depending on the implementation.
https://news.netcraft.com/archives/2003/01/01/security_advisory_2001011_predictable_session_ids.html
Some more information on why JWT is preferable over session IDs may be found here:
https://stormpath.com/blog/beginners-guide-jwts-in-java
Upvotes: 1
Related Questions
- Java Authentication and Authorization
- Explicitly set JSESSIONID
- Pre-login session id?
- How can i get session id in java
- Accessing JSON in using JSESSION ID or Authentication
- JSESSIONID is set for both HttpOnly and Secure
- How do I guarantee a single session?
- How to check JSessionID is valid in server end
- How do you avoid using jsessionid?
- Java and system user authentication