How are cookies different from JWT and why are they considered inferior to JWT?
I read about using tokens for authentication. I do not however understand how tokens (JWTs) differ from cookies. Both will store user information (like claims in tokens), persistence will be determined, and will be sent with every client request to the server.
Several questions that come to mind besides the above -
-
Are JWT signs unaffected by a human in melee attack? If someone steals a token (on an unencrypted channel), could they present themselves as the original user? (unless we add the user's IP address in the claims)
-
I've read several statements that cookies are not suitable for new age mobile apps, and tokens are the answer. Why?
-
Why are tokens considered more secure than cookies? What makes them more invulnerable to attacks?
-
Is it necessary to issue a token only by the server, or is it possible to obtain a token from another OAuth provider and configure (add / remove claims) and reuse it?
-
Performance, cookies are "bad" as they have a size limit, so they just store the session id (usually) with the session data on the server. This reduces the size of the cookies. But JWT, the entire token has to be sent, so if the token contains session data as claims, we will essentially send this incremental token every time. If I understand correctly, isn't the performance of JWT so bad compared to Cookies?
thank
source to share
JWT characters are not affected by Man in medium attack?
Yes, you must use HTTPS so that no one can see JWT in HTTP request headers. If someone receives a token, they can present themselves as the original user. The same can be done using cookies.
I have read several statements that cookies are not suitable for new age mobile applications and tectons are the answer. Why?
Most mobile apps don't use browsers to make HTTP requests. Browsers make working with cookies a hassle-free experience for web developers. For mobile developers, using JWT can be less cumbersome than using w / cookie.
Why are tokens considered more secure than cookies? What makes them more invulnerable to attacks?
Tokens are not necessarily more secure than cookies (cookies can be signed like JWT). The security benefits come from the fact that they are not subject to exploits that accidentally trick the browser using cookies (CSRF attacks).
Do I only need to issue a token to the server or can I get a token from another OAuth provider and configure (add / remove claims) and reuse it?
The JWT signs with a secret that only the server / organization that generated it needs to know. This way, only servers that know the secret can verify that the token is valid. While the server that generates the token doesn't have to be the same one that validates it, there is no point in configuring and reusing someone else's token.
source to share