top | item 40498490

(no title)

> Isn’t session token theft as much of an issue as JWT token theft? Why is there a difference in security just because in one case it’s a JSON blob that says user_id:4,is_admin:false and in the other it’s an opaque string? Surely session tokens are equally vulnerable to XSS as JWT tokens?

The difference is that if your session cookie uses HttpOnly (which should _always_ be the case) then it can’t be read by JS, which makes it less vulnerable to XSS than a JWT (or worse, a refresh token) stored in a cookie by the client or localstorage and therefore accessible to JS. Basically, you have to be more careful with how you handle JWTs, which makes it more likely for an inexperienced or careless dev to do something insecure like store a JWT in localstorage.

> How does it affect things? Does it affect request latency, or server time decoding the JSON?… Where is the latency introduced?

I think their point is that it’s faster not to hit the DB, assuming you aren’t hitting the DB for any other reason. Any performance optimisation should be justified and profiled. There aren’t many applications operating at a scale where the difference in performance between JWTs and session tokens is going to make a significant difference, and even fewer who can genuinely use JWTs without hitting the DB (eg, to ensure the JWT hasn’t been revoked)

discuss

No comments yet.