Stop Using JWTs
This gist emphatically advises developers to stop using JSON Web Tokens (JWTs) for user sessions, arguing they are insecure, not designed for long lifespans, and not truly stateless. It reignites a perennial Hacker News debate, with many commenters agreeing on the browser session caveat but fervently defending JWTs' utility in other architectural contexts. The discussion highlights the fine line between proper tool application and common security foot-guns.
The Lowdown
A strong opinion piece urges developers to cease using JWTs for user session management, advocating instead for traditional cookie sessions. The author contends that JWTs are fundamentally unsuitable for maintaining user login states due to several critical flaws.
Key arguments against using JWTs for sessions include:
- Design Limitations: The JWT specification is intended for very short-lived tokens (around 5 minutes), whereas sessions require longer lifespans.
- False Statelessness: Secure authentication with JWTs necessitates some form of state (e.g., for revocation), undermining the supposed "stateless" advantage. If state is required, a simple session store is often superior.
- Inefficiency: JWTs storing simple session tokens are less efficient and flexible than standard session cookies, offering no real benefit.
- Security Concerns: The JWT specification itself has faced criticism from security experts, with past vulnerabilities (e.g., enabling fake token creation) leading to distrust.
The author addresses common rebuttals, clarifying that Google's use of JWTs is for SSO transport, not browser sessions, and that "stateless" authentication is rarely securely achievable without massive resources. For those unfamiliar with sessions, the post points to framework-provided session implementations.
As a secure alternative for short-lived, signed tokens, PASETO is recommended. The core message emphasizes that while JWTs might have niche applications, they are broadly misapplied and insecure for managing browser-based user sessions.
The Gossip
Nuance of Necessity
Many commenters strongly agree that JWTs are a poor choice for browser-based user sessions, but swiftly pivot to defend their invaluable role in other contexts. They highlight JWTs' effectiveness for service-to-service communication, single sign-on (SSO) scenarios, and as short-lived, verifiable identity tokens passed between applications. The consensus emerges that the problem isn't JWTs themselves, but their misapplication.
Statelessness Squabbles
The discussion vigorously debates the 'stateless' nature of JWTs. Critics argue that truly secure statelessness is a myth, as token invalidation (e.g., on logout or compromise) inevitably requires a stateful mechanism like a revocation list. Proponents counter with practical strategies such as very short-lived tokens with refresh mechanisms, or using a 'minimum_issued_at' timestamp stored per user, which invalidates all prior tokens upon a password change or 'sign out all devices' action, thereby managing state without a full session store.
Security Scrutiny & Solutions
Commenters delve into the historical security concerns surrounding JWTs, citing past vulnerabilities where libraries had poor defaults (e.g., 'none' algorithm attacks). However, many contend that modern libraries have matured, and proper implementation practices—like using strong, PPK-based signing methods, enforcing short token lifespans, and utilizing HttpOnly cookies for storage—mitigate these risks. The initial mention of a 'FIFA hack' as justification for the post was quickly dismissed as unrelated to JWTs themselves.