Invalidating cookies Fee love and sexy chats
JWT is as secure as any other solution and this article proves it since he isn't well informed, he just throws a bunch of stuff out and tries to be "an expert". every other solution is really dangerous as well, especially Cookies could be a total mess of security problems. My toughts are use the thing your most happy with and the thing you understand and the thing you can implement with code that is totally clear and especially code that is really really easy to understand. I've seen a lot of people just using Session Cookies from their Framework, but eventually have no idea about their risks, they have lots of CSRF all over the place, or using a too small ID or eventually the ID is not really random. As seen by this guy, that he generates the JWT without any well known secure string. So you can't invalidate a single user's session without invalidating all users' sessions.
I keep a counter in the JWT to at least mostly get around this issue.
The subject of a token (the "sub" JWT claim) is often something like a user ID.
When an event occurs that requires all tokens for a given subject to be revoked, save that time stamp as the subject's "epoch".
You may insert a new session, but the old session will remain unless you close the browser.
They take the same amount of storage than signed cookies, wuhu I use JWT so often and I NEVER exceeded the cookie limit, but I wouldn't store them there anyway. ) JWT implementations is that it doesn't hit the database on every request - the token is only validated against a global secret.
Do you ever worry that, in the case of failure or some other event, your revocation list could be lost and allow old hacked sessions to be used? I like the idea of a revocation list, but this seems to be a pretty big concern. There are other layers of security here - the sessions expire (so there's a limited window to exploit each one), the sessions are always transmitted via SSL (so you pretty much have to have an exploit on the customer's system to get one), and the sessions are restricted to one customer (so you only have an attack against the customer whose system you have an exploit on).
These are just some random and half-baked thoughts, I have no idea what OP does, but there are options to limit hitting backing DBs anyway.