JWT. What is it really?
In this article, a JSON Web Token (JWT) is discussed within the scope of client-server authentication.
JWT is an open industry standard that shares information between two entities, typically a client and a server. JWT verifies whether the user that logged in during the authentication process has access to the server.
Traditional methodology via Cookies
Before going into detail about the general process of authentication and authorization, Some key terms should be familiarized:
- A session includes all the information relevant during a user’s visit to the website. This information is saved on the server. A session spans the time from when a user arrives on the first page to when they leave the site.
- A cookie is a text file that is used to authenticate and track a user’s visit to the website. The information deduced from the user is stored in a key-pair format by the web browser. A cookie has relatively more longevity.
- A session ID is a unique token the website assigns to the user during a session. Cookies store and deliver session ID. The session ID is terminated when the user exits the browser.
In session-based authentication, the user logs in from the client by posting to some kind of login service (for instance, with their email and password). The server performs authentication on receiving this data from the client side. When a new session starts, the session ID is sent via cookies to the client side from the server.
Token-based authentication
Here, the server signs user data in a JWT and sends it back to the client-side. The JWT is either stored in local storage or in a cookie. For subsequent requests for authorization, the web token is first verified by the server, followed by a response from the server. In token-based authentication, the client information is not stored on the server, unlike session-based authentication. The token is erased from both sides when the user logs out.
JWT or Sessions?
In theory, JWT is preferred because,
- They are cryptographically signed
- They can contain a vast amount of data
- They eliminate the need for a database with sessions.
- They minimize security risks
Practically, like every other piece of technology JWT has its shortcomings:
- They occupy more space.
- They are sent for every request to the server.
- They suffer from the possibility of being intercepted by third parties.
JWT is undeniably a good standard practice for information exchange between entities by signatures. But security risks should be taken into account and countermeasures should be devised before implementing them.