I have been reading about JSON Web Tokens and some questions popped up in my mind . I have read lot of claims about how we should move from session based approach to JWT. I am thinking more in terms of a Node JS backend that exposes API for the UI as well as the mobile.
Claim: JWT does not require you to communicate with your key-value data store for every http request.
Question 1 : I cant have a single private key for all the users (Whats the security risk if I have only one Private Key ?). Then I would need to have a DB anyway.
Claim: JWT sends the token on every request.And hence we don't need to store any data like "name,email" on the session instead they can reside on the token itself.
Question 2 : Wont the size of the payload increase , since they would be sent for every request and it also contains data ?
Claim : You can use the same method for mobile auth as well as Web UI Auth.
Question 3 : Since the server now has to decrypt the token and communicate to the server, isn't it an overhead for the Web UI ?
Claim : Pass the token to the JS and store the token in sessionStorage or localStorage.
Question 4 : Since there is no concept of "httpOnly" in sessionStorage isn't it a security concern ? Also can chrome plugins circumvent the security by getting the token and logging in ?
Finally, Apart from CRSF issue, sharing the code between UI and Mobile Auth and benefits CSRF, I really don't see much benefit over current session based mechanism. Am I correct in my thinking?
Also, what are the cases what are the disadvantages of JWT when compared to the traditional session based systems ?
question 1
Yes, if you wanted to sign the JWT uniquely for each user then you need to store those keys in your database
Also you will be anyways need to store the token in you db because when the token is revoked you need to reject that request even though the token is valid
But the point to look here is this token based authentication is useful for all clients not just we apps , so rewriting the Apis is not required
JWT is one format for token in token based auth
question 2
Yes, you payload can easily reach 700 to 1000 chars even if you add small amount of details in JWT
But it helps to have clear info about the authenticated user without hitting , the suggestion here is to have very minimal into and store the rest in db and use it when required
question 3
No, all the client ( Webapp) need to do here is to store and send that token in each request , which is same as sending the session cookie (it's just automatic )
question 4
Yes anyone can copy the token and gain access ( but it will expires after short time ) this is same as( session hijacking) or after an session is established the user can directly call Apis from there rest console in bowser and it still works
In this case the token is efficient since it has usually short lifetime rather than session's lifetime
There are real benefits in JWT, the top is can expose same Apis to any client there is no need to write individual Apis for Webapp and other clients
JWT is still an draft and not an specification, and if you use carefully there are real benefits in it, search about token based authentication you will see lot of advantages over the session