We live in a world of rich client side applications and we need a secure way to authenticate our users. Session IDs are the traditional solution, but how well do they work for modern applications? You can't leave your credentials in the client, there's always someone malicious just waiting to steal them. Enter the JWT. These fancy little tokens can authenticate our users and our transactions because they know what they're allowed to do. We'll take a look at what JWTs can be used for, why to choose JWTs, how to generate them, and most importantly how to keep them.
62. Stateless sessions - revocation
• exp claim - token expiry time
• Without state, you can't revoke individual tokens
except by expiry
• Requires a blacklist of revoked tokens to check
against
@philnash
63. Stateless sessions - storage
• Cookies
• ensure you have CSRF protection
• localStorage
• vulnerable to XSS
• requires JS to store and insert as an
Authentication header
@philnash