JSON Web Tokens: Downsides, Best Practices and Secure and Robust Alternatives

Home » Blog » Software » Enterprise Software » JSON Web Tokens: Downsides, Best Practices and Secure and Robust Alternatives

JSON Web Tokens (JWTs) nowadays are commonly used for transmitting authentication data in web applications, especially those exhibiting the widespread client-server architecture where you have a fat client / single-page application written in JavaScript as a front-end and a back-end server providing REST endpoints for use by that front-end client.

However, while common there are good arguments against this practice.

In a nutshell, JWT often are used for storing session data such user authorization and authentication information although they aren’t particularly well-suited to that task. Often, the supposed merits of JWT are compared to those of cookies as well, which actually is a false dichotomy because cookies and JWT aren’t mutually exclusive. In fact, JWT technically are a data type while cookies are a storage mechanism, which in turn is perfectly capable of storing JWT (the other commonly used storage mechanism being the localStorage browser API).

These misconception and the purported main advantage of JWT – their statelessness and the implications that property has for better horizontal scalability – frequently lead to JWT being used indiscriminately.

In a 2017 article Paragon Initiative, a web security consulting company published an article on Javascript Object Signing (a generalisation of the concept behind JSON Web Tokens) and why in most cases there are better, more secure alternatives.

In summary, a server session with the session ID stored in a cookie for most use cases will both be more secure and easier to use than a JWT stored in localStorage. The latter, while potentially mitigating CSRF vulnerabilities will be open to a whole new category of security issues that arise from being accessible and manipulatable via JavaScript calls while its only true advantage, horizontal scalability, for most applications won’t be relevant simply because most applications don’t have scaling requirements that couldn’t be met by a dedicated server-side session store such as a Redis server.

About the author: Bjoern
Independent IT consultant, entrepreneur

Leave a Comment