I prefer JSON Web Tokens too, but it's not true that you can't scale well with cookies. You can use connect-redis with express-session, which will make it faster (you can still have multiple replicas of your api). Not to mention cookies are more secure than JWT tokens. If someone puts sensitive information in the payload, you are screwed-up, because anyone can decode the payload of the JWT token. It's just a base64 value.
In the end, it will depend on what you are building. :)
When the state is stored on the server like it is with the session approached, the bigger the app is, the more resources will be needed to the server (for example Reddit size) for every user that logs, the server will need to store the user state in the memory. The JWT is stored in the client browser and the server is just doing verification to check if the token is signed, that's why it can scale great with the size of the app.
I believe you should read this article about Sessions and JWT that shows that JWT is not suited for managing sessions. cryto.net/~joepie91/blog/2016/06/1...
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I prefer JSON Web Tokens too, but it's not true that you can't scale well with cookies. You can use connect-redis with express-session, which will make it faster (you can still have multiple replicas of your api). Not to mention cookies are more secure than JWT tokens. If someone puts sensitive information in the payload, you are screwed-up, because anyone can decode the payload of the JWT token. It's just a base64 value.
In the end, it will depend on what you are building. :)
I'm a bit confused about "The user state is not stored on the server with this approach instead it is stored in the token."
and in the next paragraph there is "Generally, the JSON Web Token scales much better with the size of the application because it is stateless,"
Can you explain, please?
When the state is stored on the server like it is with the session approached, the bigger the app is, the more resources will be needed to the server (for example Reddit size) for every user that logs, the server will need to store the user state in the memory. The JWT is stored in the client browser and the server is just doing verification to check if the token is signed, that's why it can scale great with the size of the app.
Berry cool !!!
Great article. Shared this with fellow nerds on a chat group.
Very informative article! thanks.
One thing i want to say please mention TLS.
SSL is outdated we should use TLS 1.3 or TLS 1.2 !
In JWT, to validate the token, doesn't the server need to save it in a database? Doesn't it require space?
Or else, how is the validation done?
The JWT is signed from the server with a private key and then it is sent to the client, so the server can verify the token if it's legit or not.
I believe you should read this article about Sessions and JWT that shows that JWT is not suited for managing sessions. cryto.net/~joepie91/blog/2016/06/1...