Why JWTs Should Not Be Used for User Session Management
By
262588213843476
21d ago· 3 min readenCode
Summary
The article argues against using JSON Web Tokens (JWTs) for user authentication/session management. It claims JWTs are not designed for keeping users logged in, are insecure for that purpose, and recommends using regular cookie sessions instead. The author references a presentation for deeper context and notes that other security topics like CSRF protection should be learned separately.
Source
Key quotes
· 3 pulledJWTs should not be used for keeping your user logged in.
They are not designed for this purpose, they are not secure, and there is a much better tool which is designed for it: regular cookie sessions.
Note that other topics are largely skimmed over, such as CSRF protection. You should learn about other topics from other sources.
Stop using JWTs. GitHub Gist: instantly share code, notes, and snippets.
You might also wanna read
JWT vs Opaque Tokens: A Technical Comparison for API Security Architecture
This article compares JWT (JSON Web Tokens) and opaque tokens for API security, clarifying the common confusion between bearer tokens and JW
JWT Authentication in ASP.NET Core - A Complete .NET 10 Guide
codewithmukesh.com·1mo ago
Implementing JWT Authentication in Golang REST API - Detailed Guide
codewithmukesh.com·4y ago
What is Token Authentication?
Packetlabs·2y ago

Session Timeouts as Accessibility Barriers in Web Authentication Design
The article discusses how poorly implemented session timeouts in web authentication systems create significant accessibility barriers for pe
Securing .NET WebAPI with Amazon Cognito - Serverless Authentication System - Client Credentials & Password Flows - JWT!
codewithmukesh.com·3y ago

Comments
Sign in to join the conversation.
No comments yet. Be the first.