JSON Web Tokens (JWTs) are not safe

In this book, we go into JWTs, their perceived benefits, and actual dangers. We’ll also discuss battle-tested solutions to replace them. We’ll explore:

  • HTTP Sessions, Authentication, and Authorization
  • The need for something like JWT
  • JWTs’ perceived benefits and actual dangers 
  • JWT workarounds and the complexities around that
  • Using Redis for session storage instead of JWTs
  • Sessions storage when Redis is used as a Primary DB 
  • Finally, you’ll also learn how to use Redis + JWT! Another common approach to managing user session

Download the e-book now

Thanks for your interest in this resource.

Download Now

You will also receive a link to this document at the email address you provided. Browse additional resources from our library of Case Studies, Benchmarks, and more!

Continue Your Journey to Rediscover Redis

JSON Web Tokens can be used to validate user locally without the need for a database but then you put yourself at risk for massive security issues.

Randall Degges

Head of Developer Advocacy, Okta

To be clear: This article does not argue that you should never use JWT—just that it isn’t suitable as a session mechanism, and that it is dangerous to use it like that. Valid use cases do exist for them, in other areas.

Sven Slootweg, Stop Using JWT for Sessions

I don’t care if you want to use stateless client tokens. They’re fine. You should understand the operational limitations (they may keep you up late on a Friday scrambling to deploy a token blacklist), but, we’re all adults here, and you can make your own decisions about that. The issue with JWT in particular is that it doesn’t bring anything to the table, but comes with a whole lot of terrifying complexity. Worse, you as a developer won’t see that complexity: JWT looks like a simple token with a magic cryptographically protected bag-of-attributes interface. The problems are all behind the scenes.

Thomas H. Ptacek

a well-known security researcher on Hacker News