undefined | Better HN

0 pointsjondubois7y ago0 comments

JWT is simpler to implement and more scalable than the sessionId approach so why would you use the more complex solution to get an inferior result?

With JWT, you only need to do a single database lookup when the user logs in with their password at the beginning... You don't need to do any other lookup afterwards to reissue the token; just having the old (still valid but soon-to-expire) JWT in memory is enough of a basis to issue a fresh token with an updated expiry.

It scales better because if you have multiple servers, they don't need to share a database/datastore to manage sessionIds.

0 comments

6 comments · 2 top-level

groestl7y ago· 3 in thread

With WebSockets, you also have just one lookup when opening the connection. No scalability issue here.

jonduboisOP7y ago

This is not accounting for reconnect scenarios. With sessionId, if the user loses the connection and reconnects, there will need to be another DB lookup to verify that the sessionId is valid. This is not the case with JWT. The validity of the JWT can be checked without any DB lookups.

Also, this is a security consideration because a malicious user could intentionally send fake sessionIds to make us DoS our database. With JWT, verification of the signature only uses CPU on the workers which are easier to scale.

ynniv7y ago

You can sign session ids to prevent DoS, and you can cache session ids to avoid database lookups, but you can't detect forged or stolen JWT tokens.

1 more reply

throwawaymath7y ago

Why wouldn’t you rate limit connections? That is something you should be doing anyway, and it neatly resolves the denial of service problem.

michaelt7y ago· 1 in thread

I don't know what stack you're working with that makes you say re-issuing JWT every 50 seconds over WebSockets is simpler to implement than the session ID approach people have been using for 20+ years :)

nine_k7y ago

Simpler != cheaper WRT resource consumption. Not having to hit a DB means not having to replicate the DB to respond quickly, and having one fewer point of failure.

If you can live with quickly expiring, quickly reissued crypto tokens like JWT, it's a boon.

But JWT definitely don't work for web auth. They can be used as CSRF tokens, though.

j / k navigate · click thread line to collapse