Trying to get my head around not using traditional $_SESSIONS
to keep user logged-in across pages. Are there security issues with storing JWT in cookies to authenticate a user session?
Here's a bare example of what I'm trying to do:
config.php
$key = "secret123";
login.php
use Firebase\JWT\JWT; // A simple library to encode/decode JWT
require 'config.php';
// ... assumed valid user/pass, set cookie session
$token = ['uid' => 123];
$jwt = JWT::encode($token, $key);
setcookie('jwt', $jwt);
// redirect to private page
private_page.php
require 'config.php';
if (isset($_COOKIE['jwt'])) {
// check if JWT is tampered
try {
$decoded = JWT::decode($_COOKIE['jwt'], $key, ['HS256']);
} catch (Exception $ex) {
echo 'Invalid authentication';
}
echo 'You are logged in as uid '.$decoded['uid'];
}
else {
echo 'You are NOT logged in';
}
Is this implementation secure enough, what other things should I consider?