Never Use Json Web Tokens For Authentication
I have been dealing with JWT (JSON web tokens) for quite some time and I see a lot of people trying to use them as a replacement for sessions and cookies. But on doing some extensive research, I ended up with some more people who share my ideology that Json web tokens will prove to be a terrible replacement for sessions and cookies.
First of all, let us quickly understand how one could use a JWT in user login systems.
JWT in Log in Systems
Before we discuss this I suggest you read this article to understand how generally user login systems work. Talking about JWT, the first good reason to use JWT in place of the traditional login systems comes out with the simple idea that we can pass JWT on every request and the JWT will contain the user’s id. If the JWT is valid, i.e it was created by the server itself, then the server accepts it and lets the user perform the desired actions. This way, you save the hassle of hitting the database to check for keep me logged in cookies and managing sessions.
Even for me, JWT was pretty tempting until I thought deep into it and realized some potential problems that make JWT appear useless for authentication.
What you store in the JWT
Important to note that JWT’s ultimately will have to be stored in the user’s device in form of cookies or web storage. So anyone with access to the device and token can not only read the JWT but read the contents of the JWT. Shocked? Well, that’s a reality check for people who didn’t know how JWT’s work. So hopefully the only thing you can store is the user id, and even then you will have to hit the database every time to check what that user can do such as roles etc.
Keep Me Logged In
The keep me logged in token is often stored in form of a cookie and it can help you avoid having to type passwords every time you open the website. The general procedure is that a token is stored in the cookie which is used to initiate a session. But replacing sessions with JWT would mean that you are completely at the mercy of the token. Think about this, if someone’s device gets stolen, they lose their token and now anyone with that token can login. And it’s not even like you can delete that token from a list of your approved tokens, because if you did that, it would mean that the server would have to check that token’s existence on every request. Again, this would do more harm than good in using tokens.
Speed is very crucial in login systems. Some people will now point out that decoding a JWT might be faster than getting data out of the database but you shouldn’t forget that the JWT will have to be decoded on every request, unlike the traditional method which will only require touching the database once in the beginning.
JWT’s are an excellent piece of technology but they are not a replacement for login systems. Considering the facts we have discussed in this article, it would be a total disaster to use them in login flows. These were just my views, feel free to add to this topic in the comment section below.