Slides from the talk Token vs Cookies at Devoxx Morocco 2015.
Introduction of Json Web Token JWT and comparison with (classic) Cookie handling.
Find the demo project used during of this talk on github: https://github.com/madmas/TokenVsCookies
1. #DevoxxMA
#JWT
@madmas
Token vs. Cookies
JWT
–
the
silver
bullet
for
authen4ca4on
in
modern
applica4on
stacks?
Markus
Schlich4ng
2. #DevoxxMA
#JWT
@madmas
About
Markus Schlichting
Senior
So>ware
Engineer
Basel,
Switzerland
Hackergarten
Basel
markus.schlich4ng@canoo.com
@madmas
3. Creden4als
#DevoxxMA
#JWT
@madmas
Cookies & Sessions
Valida4on,
Create
Session
Store
in
Session
Cookie
Session
informa4on
Check
session,
grant
access
Send
session
inf.
with
every
request
Session
Store
hKps://app.yoursite.ma
hKps://app.yoursite.ma
4. #DevoxxMA
#JWT
@madmas
Cookies & Sessions
• load
balancing
requires
shared
session
pool
• separate
services
need
to
sync
via
session
pool
• cross
origin
resource
sharing
(CORS
)
• CSRF
vulnerabili4es
• other
clients
than
browsers?
5. #DevoxxMA
#JWT
@madmas
JSON Web Token
JSON
Web
Tokens
are
an
open,
industry
standard
(RFC
7519)
method
for
represenCng
claims
securely
between
two
parCes.
• relies
on
other
JSON-‐based
standards:
• JWS
(JSON
Web
Signature)
• JWE
(JSON
Web
Encryp4on)
• Libraries
widely
available
ŸŸŸ
6. Creden4als
#DevoxxMA
#JWT
@madmas
JWT – How?
Valida4on,
Create
Token
Store
Token
Token
Validate
token,
grant
access
Send
token
with
every
request
hKps://www.yoursite.ma
hKps://api.yoursite.ma
9. #DevoxxMA
#JWT
@madmas
JWT security aspects
• use
on
encrypted
connec4on
only
(HTTPS!)
• avoid
URL
tokens
hKps://yoursite.ma/service/ac4on?token=jwt.goes.here
• in
securing
Session
Cookies
a
lot
of
effort
has
been
made
• HKpOnly,
etc
• be
aware
of
the
implica4ons
coming
with
tokens
10. #DevoxxMA
#JWT
@madmas
JWT summary
• embraces
JSON,
heavily
adopted
across
many
stacks
• simple
to
use,
simple
to
implement
• more
libs,
fewer
interoperability
issues
• supports
both
symmetric
and
asymmetric
crypto
• majority
of
use
cases
solved
• reduce
the
dependency
between
services
to
a
minimum
• shared
secret,
public/private
keys
• help
to
achieve
one
basic
principle
in
REST
based
architecture:
State
transfer
11. #DevoxxMA
#JWT
@madmas
Conclusion
• Cookies
are
not
completely
overdue,
but
JWT
provide
a
lot
of
benefits!
• JWT
for
scalability
and
flexibility
• Very
useful
to
provide
a
cross
plaDorm
API
• ServiceWorkers
to
ease
up
handling
within
the
browser
13. #DevoxxMA
#JWT
@madmas
Resources
• RFC
7519
-‐
JSON
Web
Token
(JWT)
• Dwyl/learn-‐json-‐web-‐tokens
• Auth0:
10
Things
You
Should
Know
about
Tokens
• Does
JWT
put
you
webapp
at
risk?
• Make
your
REST
services
aKack
proof
–
Alex
Soto
Bueno