Randomly generated token vs JSON web token

Question

I'm trying to secure access to my web server.

I have been implementing a JSON web token authentication where I randomly generate a secretkey and associate it with that user. The secretkey will then be used to encode the JSON web token. Then the user will use the JSON web token to access my web server.

I was also thinking of this simpler method. Is there a reason not to just randomly generate a key and associate the user with that. Then authenticate with that?

Answer 1

Either way is fine, it just depends whether you want authentication to be stateless.

Advantages of JWTs:

• Stateless.
• Little or no database overhead.
• Individual back-end components can validate the token in isolation, simply by knowing the secret key.

Disadvantages:

• As authentication state is stored client-side, you cannot invalidate logins server-side.

Depending on the risk appetite of your application, this could be a big enough disadvantage for you to move all authentication logic to server-side.

Note that you could combine the two, and have the authenticated token supplied client-side validated server-side (i.e. the token inside the JWT is validated by a MAC, and the token itself is stored in a database). This protects against the situation where your session table is exposed by an attack as an attacker cannot use the session identifiers directly to hijack a session without knowing the secret key used to validate the MAC.