0

I am currently creating a login system for my website. To secure the login service, should I use JSON Web Tokens and HTML5 storage, or should I use use the older way of using cookies? Are any of theses options secure or is there a better way of securing my system?

Also, if I do use JWT or cookies, what would be the most secure way of authenticating users?

Please note: This site is only going to have a small number of users as it is a personal site.

iProgram
  • 1,187
  • 3
  • 9
  • 15

2 Answers2

1

Reasons to pick JWT:

  • Does not require the server to keep a state, i.e. no need for costy lookup on every request.
  • Easier to share authorisation across different domains.

Reasons to pick session cookies:

  • Easier to implement in many languages and frameworks (e.g. PHP).
  • Instant revocation of authorisation, e.g. logging a user out, is possible. Even with a more complex two token system revocation is not instant if you use JWT.

When doing something simpe for a few users in PHP, you do not need the benefits of the JWT. Given that PHP comes with an existing implementation of sessions, I would just use that to avoid unnecesarry complexity. But for a different project with different needs the answer can be different.

Anders
  • 64,406
  • 24
  • 178
  • 215
1

Use both. Just take a few measures to prevent identity theft.

Okay, but let's talk how to do that.

JWT is not a replacement for cookies. It couldn't be, as they have different purposes.

In a web app (e.g., not a web api), cookies are still the safest and best overall to transport credentials over HTTPS. In fact, there is at least another established way to store credentials. It's the HTTP Authorization header. The trouble with authorization headers in a web app is that they will be available to client side scripting, and when long term session is required, we'll need to store the credentials somewhere. There's no safe way to do that in browsers. So authorization headers are best used in web apis consumed in server side.

Traditionally, a session cookie only stores a pointer to data stored somewhere else. A server would have to decode the cookie and then fetch the data it points to. For large systems, a cache or session database is used to avoid tying the user to a single server. Now enters JWT.

JWT is a message format that can contain all information the server needs to process requests, like identify the user. It saves the server from performing a request to fetch further data. The complete payload is signed and sent alongside the message to confirm it is valid. It's not a hash nor it is secret, so no sensitive information should go in there. Now, we still need a medium to transport the JWT between server & browser. A Secure, HttpOnly cookie fits like a glove.

Larger systems benefit from JWT because any server could serve a request, unlike a session cookie usually (unless as stated above) tied to a single server.

There are other pros & cons for each as stated by Anders in his answer, I'm not going to repeat it all over.

André Werlang
  • 111
  • 3
  • So do you mean that I should use a cookie for authentication, but store a JWT in the cookie. This would then let me store the user ID and then my PHP script would then pick out the user ID while validating the JWT, preventing unwanted modification? Or have I got this wrong? – iProgram Nov 25 '17 at 20:49
  • Yeap, you got it right. That's the beauty of it. – André Werlang Nov 25 '17 at 21:06