top | item 27626232

(no title)

jfhufl | 4 years ago

Nothing is "secure or not" - technologies/mitigations are secure against particular attacks. HTTPS is generally secure against passive network eavesdropping, but does nothing to stop local file inclusion in a web app.

Just because there are attacks or ways around a particular defense doesn't mean it's worthless, that's why we have defense in depth.

discuss

talove|4 years ago

This. That's why they call them 'attack vectors'.

I disagree with the main thesis for why JWT is a problem. JWT isn't necessarily encouraging you not to hit the DB for user lookup. This is the claim the article makes as a problem with revocation.

It reads like a really long thoughtful article based entirely on false assumptions for how to best use it.

It's ok to carry around some encrypted state in your tokens for some uses cases.