top | item 27628001

(no title)

Looks like Redis is trying to promote itself as a session data storage. From my perspective:

1. There's no difference between stealing jwt or session_id with al the problems it brings

2. Session in external storage is a solution for small projects like personal blog etc. because you have almost no traffic to handle. FOr example: 1kk session with an average size 1k = 1kk * 1k = 1Gb in memory storage. Not so big but you will meet all the issues of 10k connections problems when trying to build a service witch can handle this also it will consume at least 100Mb/s bandwidth just for getting/setting data.

3. Server side session a simple place to store all unnecessary/secure data and also can grow exponentially. I saw plenty projects when in one moment session data was grown over 1Mb. So the limits of JWT is a huge plus

4. JWT is easily scalable solution. It works great with 1k session and with 1kk - 100kk - 1000kk sessions.

5. Migration. Because of limitation of server side session - plenty projects started with DB as session store just because they already have DB. It's way of pain of migration from DB to external storage memcache/redis then to JWT.

From my point I don't see any reason to keep using server session instead of JWT.

discuss

eldelshell|4 years ago

6. Microservices. It's not unusual to have several Microservices consume a common entity, like say, User. If every microservice has to authorize each request doing a db lookup, it doesn't scale either.

He does bring fair points that it's important to understand before using JWT. If your use case includes immediate logout, or to avoid stale data, then it might better to not use JWT.