Break things, write reports

Stop using JWT for session tokens

You've got a framework that gives you sessions, just use that.

Tags — | dev | Categories: — webapps |
Posted at — Jan 19, 2021

This is a topic that’s been covered quite a bit, but again, stop using JWT for session tokens.

Stop using JWT flowgraph. thanks to cryto.net

See http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/ for it’s fantastic graph, it’s initial writeup at http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/, or see Okta piling on slightly later back in 2017 at https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens.