Session vs Token Authentication in 100 Seconds

  Рет қаралды 1,147,408

Fireship

Fireship

Күн бұрын

Пікірлер: 413
@lolllolol5416
@lolllolol5416 4 жыл бұрын
I am actually suspicious if you are creeping on my search history, 3 times in a row you gave me what I wanted to understand the next day.
@luxunited5449
@luxunited5449 4 жыл бұрын
I didn't even searched for something like this, just thought of it...
@sarcasm1015
@sarcasm1015 3 жыл бұрын
KZbin algorithm at its finest
@naniy143
@naniy143 3 жыл бұрын
Universe at work.
@jimhalpert9803
@jimhalpert9803 3 жыл бұрын
Real
@ansadahmad1958
@ansadahmad1958 3 жыл бұрын
You mean this channel uploaded the video right after you were searching for it in google?
@princesharzeel8237
@princesharzeel8237 4 жыл бұрын
Fireship is on fire with regular uploads.
@AreyHawUstad
@AreyHawUstad 4 жыл бұрын
This one looked sponsored. But who cares, Jeff explained me JWT in 100 seconds which I had been struggling to understand since a few months now.
@michalurban8536
@michalurban8536 4 жыл бұрын
You make the highest quality programming videos on youtube, great job!
@mwimb6716
@mwimb6716 3 жыл бұрын
I 100% agree with this
@fieryscorpion
@fieryscorpion Жыл бұрын
This guy doesn’t know shit.
@aladdinovich
@aladdinovich 4 жыл бұрын
I became addicted to this channel, I feel it is like my daily injection that I can't live without.
@hampuswestman8722
@hampuswestman8722 3 жыл бұрын
Knowledge is a hell of a drug
@fadilrahadiansyah4223
@fadilrahadiansyah4223 3 жыл бұрын
yes you're goddamn right
@soumyajitdey5720
@soumyajitdey5720 3 жыл бұрын
Absolutely true. It's the same for me too🔥
@graf_tec
@graf_tec 3 жыл бұрын
Me too
@Evoleo
@Evoleo 3 жыл бұрын
SQL injection
@CodingWithLewis
@CodingWithLewis 4 жыл бұрын
I love that in the video you never gave a reason as to why one was better than the other. Cyber Security is a field that is just constantly being evolved and I loved the explanation of both. JWT has been an incredible tool I've used for a while now and I will not go back. Always love the videos Fireship!
@786ranabasharat
@786ranabasharat 5 ай бұрын
45 likes and no replies in 3 years? I'll fix that
@KanagawaMarcos
@KanagawaMarcos 3 жыл бұрын
Man, you way of teaching "something in 100 seconds" is awesome. I'll try to do the same in my work with juniors, you're in inspiration!
@davedurkee8853
@davedurkee8853 11 ай бұрын
Your juniors can get the info here. Give them a bit more than 2 minutes. They will appreciate it.
@ZyncInteractive
@ZyncInteractive 4 жыл бұрын
Every-time I see one of these new 100 seconds of something video show up in my playlist, brightens my day a little more. Thank you for producing great content!
@estym_
@estym_ 4 жыл бұрын
That's a really quick yet good introduction to Session and Token Authentification, that no joke helped me have a better understanding of these authentification methods x) What about Redis in 100 Seconds for a future video?
@Fireship
@Fireship 4 жыл бұрын
Thank you. Good idea, I want to cover more DBs in this format.
@daheck81
@daheck81 4 жыл бұрын
@@edwardsmale3977 Redis is just a key value store which makes it extemely fast. Adding/reading/removing data works basically like the local/session storage in a browser. It’s mostly used for storing session or caching data.
@gaoalexander73
@gaoalexander73 3 жыл бұрын
With serverside sessions, its common to shove that data it into some external memory storage like redis. It frees up load on your database, plus that data doesn't need to be persistent anyways. And it keeps your api servers or w.e stateless, makes it easier to autoscale stuff while it sits behind a load balancer.
@yt-sh
@yt-sh 3 жыл бұрын
​@@Fireship hello there, do make RUST in 100 seconds and React state management in 100 seconds
@Spreadlove5683
@Spreadlove5683 2 жыл бұрын
@@Fireship At 1:40, what does it mean that web tokens "can't be used to authenticate a user in the background on the server"?
@mikemartin6748
@mikemartin6748 2 жыл бұрын
You can also do token-based authentication with cookies. You just store the user id, expiry, and signature in 3 cookies or in 1 cookie with a separator and roll your own standard for concatenating the user id and expiry and hashing it to check the signature. In reality, JWTs are just a standard for doing exactly that.
@zedshockblade7157
@zedshockblade7157 2 жыл бұрын
This i what i’m trying to figure out. If you store the jwt in a cookie/http only cookie. Is it still considered as token based auth? Or it is now cookie based auth?, Also if you indeed store the jwt in the cookie, how can you attach the jwt on the header as bearer token in your request?
@DarkWaffle56
@DarkWaffle56 2 жыл бұрын
@@zedshockblade7157 cookies are sent automagically to any requests made to the specific server in which they were created, so you don’t need to include them in the headers manually
@igor9silva
@igor9silva Жыл бұрын
​@@zedshockblade7157 those are 2 separate things. Manually adding the SECRET (let's call it that, for now) to the Authorization header on every request versus storing it and as a cookie (and letting the browser automatically add the cookie header on every request) will achieve the very same goal. Now, there's the SECRET type. A "session" is a token you generate and store in memory or disk storage. You have to check the user sent SECRET through a list of valid sessions every request. The "token" is signed using a hashing algorithm, so you can mathematically prove you are the one who created the token (and not someone else). That way, you don't have to go through a list, you just trust it. One con of the that last approach is that you can't revoke a token (by removing it from the valid tokens list). That feature can be important in some systems (e.g. revoke every user session when he changes the password).
@TheFeljoy
@TheFeljoy Жыл бұрын
@@igor9silvaThis is the correct answer. How you transfer the data (cookie or header) is not really important for how the validation works. Also really good tip about revoking access control👍
@Vichion
@Vichion Жыл бұрын
​@@igor9silvacouldn't you just use a UUID for every device for this method? So you concat and hash user id, username and the device uuid, if that token doesn't match one stored on the server then access denied...
@JosephLuklukkyjoe
@JosephLuklukkyjoe 4 жыл бұрын
please make a video on CORS please! I think it's one such topic where others watch 10 videos on it and still don't get it but you knock it out the park with one 100 sec video.
@felixdeiters7518
@felixdeiters7518 2 жыл бұрын
kzbin.info/www/bejne/anyrmoaqZdR_gJI
@miQize
@miQize 3 жыл бұрын
By far the clearest explanation I've seen. Well done!
@KBoB5arc
@KBoB5arc 2 жыл бұрын
I don't know how I could live so long without this channel
@Joerje
@Joerje 4 жыл бұрын
Yesterday I was crying myself to bed because of this, perfect timing :)
@osamaa.h.altameemi5592
@osamaa.h.altameemi5592 4 жыл бұрын
Man you are simply gifted in getting ur idea to the audience.
@lwinklly
@lwinklly Жыл бұрын
Finally an authentication video that pronounces JWT correctly
@Bazixxx
@Bazixxx 5 ай бұрын
If this is ur only problem 😂
@Yaxqb
@Yaxqb 3 жыл бұрын
A hot recommendation, don't use JWT if you don't have scaling issues. It just complicates things and you'll likely to reimplement things that sessions solve for you
@mikemartin6748
@mikemartin6748 2 жыл бұрын
I don't think JWTs are that complicated. It's all handled with standardized libraries that make it quick and pain-free
@hk.32
@hk.32 2 жыл бұрын
@Jack Lusher Sessions for the win!
@bossgd100
@bossgd100 2 жыл бұрын
can you provide more details ?
@codinginflow
@codinginflow Жыл бұрын
​@@mikemartin6748What library handles the refresh process in a pain-free way? Except for full-blown backend services like Supabase. And then you still have the problem that you can't invalidate a token instantly when your account was hacked and you need to change your password.
@dandayne
@dandayne Жыл бұрын
Unless you develop your server in Assembly or have a compulsory need to reinvent the wheel by writing your own code for everything, this isn't true.
@raniathemri949
@raniathemri949 2 жыл бұрын
i am addicted to your content it is understandable simple and gives a general overview in few minutes so when i intend to learn something i come here first lots of thanks.
@brucewayne2480
@brucewayne2480 4 жыл бұрын
I use both at the same time : tokens to make front end independent from backend logic and sessions to store refresh tokens for each issued token and tracking sessions' number
@JordanPlayz158
@JordanPlayz158 2 жыл бұрын
Interesting, I permit both so I don't need to make a frontend and backend api, feels like it just needlessly complicates things, couldn't find any articles about pros and cons of doing this? Is there any benefit, if so I'd be greatful if someone can let me know
@tylerdurden2832
@tylerdurden2832 4 жыл бұрын
Your timing is perfect. I was studying this.
@johnhopkins4752
@johnhopkins4752 4 жыл бұрын
Bro I need a “Whatever the heck i needed to know in order to understand this” in 100 seconds
@DontBeMadBro
@DontBeMadBro 4 жыл бұрын
I love these 100s videos. You are on fire, literally
@NNNedlog
@NNNedlog 2 жыл бұрын
While watching this, I got a notification of your video "C++ in 100 seconds". Do immediately I finish this, I'll head over to the new video
@Klayperson
@Klayperson 2 жыл бұрын
To help prevent stolen authorization tokens from being too dangerous, make them expire very quickly and implement a refresh token so that properly authenticated users can automatically receive fresh auth tokens before expiration so they don't have to keep relogging in.
@LilmeMusic
@LilmeMusic 2 жыл бұрын
No. If you make the token expire quickly, then the user has to log in way more frequently. A token is created when a user logs in with lets say a username and password. If that token is set to last for 30 mins, then during that 30 mins, if the user logs out, he doesn't have to enter his username and password to log in, he would enter the website automatically. But once 30 mins has passed and the user closes the website, the token will expire and he would have to put the username and password again to enter the website and create another token that would last another 30mins. The longer the token time, the less frequently the user has to log in with his username and password. And there is actually no need to fear hackers lmao(I can explain why if you want to know but JWT's are virtually impossible to hack). The only way is if the hacker steals the device of the user and the jwt has not expired yet, the hacker can just login freely, which just makes him a thief, lol. The responsibility of keeping the device safe falls on the user, not the web server(your server) but yeah you could make the jwt expiry time very short but I dont think its worth it
@niccpolitic6129
@niccpolitic6129 2 жыл бұрын
@@LilmeMusic Ideally it would fall on the user but users are fucking stupid lmao
@buddh4r
@buddh4r 2 жыл бұрын
@@LilmeMusic That's why he mentioned the refresh token. If the auth token expires, the refresh token is used to get a new one. The refresh token will be valid for way longer than the auth token.
2 жыл бұрын
@@buddh4r isnt that just passing the problem to refresh token? Someone can hijack refresh token and keep making auth tokens
@buddh4r
@buddh4r 2 жыл бұрын
@ The refresh token should only be sent when required so e.g. when using cookies, set a path in order to only include the cookie in the refresh request, you can also invalidate refresh tokens once they are used and create a new one (this may requires some server state). But yes generally if the refresh cookie is stolen its bad, but its the same (or less) risk as using session cookies which are not invalidated (at least not very often when using long sessions) and send with every request.
@smakosh
@smakosh 3 жыл бұрын
Cookies are not vulnerable to CSRF attack if you set the sameSite with a value of lax, mark it as http only and secure.
@pranavbakare8922
@pranavbakare8922 3 жыл бұрын
Addiction to small video with effective understanding!!!!!
@kamiyabasamadi4166
@kamiyabasamadi4166 4 жыл бұрын
what about refresh token and access token. can we solve the token based problem this way.
@daheck81
@daheck81 4 жыл бұрын
It’s not solving the problem in general but it makes it harder to exploit. So definitely a way to go. The safest approach using JWTs is to store/send them as httpOnly + SameSite cookies while using the accesss/refresh token approach.
@rumble1925
@rumble1925 3 жыл бұрын
@@daheck81 Hmm I'm sending the jwt as a response and save it to localstorage but use httpOnly + SameSite cookies for the refreshToken. Is that an ok approach?
@daheck81
@daheck81 3 жыл бұрын
@@rumble1925 Yes, that’s actually how I'm using it most of the time as well. As long as you keep the expiry time of your access token low (< 15 mins) this is safe enough.
@rumble1925
@rumble1925 3 жыл бұрын
@@daheck81 nice, thanks :)
@MiladCale
@MiladCale 3 жыл бұрын
We store both JWT and the refresh token in cookies. It seems to be the most balanced solution between security and scalability.
@Mankepanke
@Mankepanke 2 жыл бұрын
Sounds very bloated more like. You'd get the negative parts of both without the positive parts of either (not that JWT has any positive parts in the first place, though).
@uwirl4338
@uwirl4338 2 жыл бұрын
@@Mankepanke "Not that JWT has any positive parts in the first place" then why oh why are people using it enough for it to be one out of the two standards for web authentication? Why, Magnus Bergmark, why? People will really fanboy over the tiniest things.
@samplebriefmint4204
@samplebriefmint4204 2 жыл бұрын
@@uwirl4338 Mostly because of it's simplicity. I'd concur that security wise, well implemented sessions are most likely more secure than well implemented JWT, but JWTs are easier to quickly add to any codebase, especially with the popularity of "serverless" nowadays, I think
@LuminousWhispers11
@LuminousWhispers11 2 жыл бұрын
@@uwirl4338 .... When you are in a argument never ever attempt to bring up that just because people uses a technology means that is good... Also, the amount of people using it doesn't relate to why it is a standard...
@yehor_ivanov
@yehor_ivanov Жыл бұрын
@@LuminousWhispers11 has anyone asked for a life advise here though?.. don't think so )
@ytsharmahandle
@ytsharmahandle 4 жыл бұрын
just love all your high quality and super informative videos 🤩
@CodingUnited
@CodingUnited 4 жыл бұрын
Wow, KZbin has a different description setup on the app.
@_jn0298
@_jn0298 4 жыл бұрын
An the icons are more "hd"
@SirusStarTV
@SirusStarTV 4 жыл бұрын
Are you internet explorer or what
@sarvagya-sharma
@sarvagya-sharma 4 жыл бұрын
And much better
@iyxan23
@iyxan23 4 жыл бұрын
This is getting very weird
@CodingUnited
@CodingUnited 4 жыл бұрын
Woah, how does this have 41 likes?!?
@saiddope2241
@saiddope2241 2 жыл бұрын
omg thank u for the simple and easy to understand way to explain things
@Spreadlove5683
@Spreadlove5683 2 жыл бұрын
At 1:40, what does it mean that web tokens "can't be used to authenticate a user in the background on the server"?
@Daniel__y3i2
@Daniel__y3i2 5 ай бұрын
Your Bitcoin transfer has sailed through without a glitch-congratulations!
@mohamadrezamotaghi7427
@mohamadrezamotaghi7427 3 жыл бұрын
The best explanation on these stuff.
@igor9silva
@igor9silva Жыл бұрын
I do sessions so I can revoke them (kept on Redis cache, purged on revoke), but I do encapsulate it into JWT tokens so they can contain more (and signed, verifiable) data. As the transfer protocol, I do cookies 😅 best of both worlds.
@jackdavenport5011
@jackdavenport5011 Жыл бұрын
To me, using http only cookies is the better option. Not only are they automatically attached to every request, but they can’t be stolen with an XSS attack unlike using localstorage.
@DrJimmyBob
@DrJimmyBob 4 жыл бұрын
I actually love this channel
@whonayem01
@whonayem01 3 жыл бұрын
i love your 100 seconds series. want more videos
@NicolaiWeitkemper
@NicolaiWeitkemper 4 жыл бұрын
1:06 Would have liked to hear what some of these challenges are.
@MF-ty2xn
@MF-ty2xn 4 жыл бұрын
If someone is able to steal the token, they would be able to do as many requests they wanted pretending to be that person, that's why it's important put a short expiration time the tokens and use refresh to keep them logged for longer time
@shashikanthp3145
@shashikanthp3145 4 жыл бұрын
@@MF-ty2xn how can access token be easily stolen but not refresh tokens ?
@MF-ty2xn
@MF-ty2xn 4 жыл бұрын
@@shashikanthp3145 Tokens are sent everytime to the server on the moment to get resources to verify user identity, refresh tokens however would just be exchanged with the auth server to refresh the token when necessary this make it less risky for the refresh token to persist for long time
@Jordan-er9bx
@Jordan-er9bx 4 жыл бұрын
Please can you do a longer video on JWTs
@SharkForG
@SharkForG 2 жыл бұрын
With an SPA JWT is a good solution but with its downsides. I am trying some workarounds to make it stateful ( I know, I know…) but easily manageable and light without refreshing the token all the time or hitting the database. So, when user’s logging in, I generate a private key with a passphrase ( the hashed user’s email + ID) and saving the key to a file. The filename of the key is a hash of the hashed user’s email + ID + user agent. In the database I just track the generated filename, user id, agent and timestamps. When a request is made this public information from the payload is combined so the private key file can be fetched. If the user agent is different or the key file is deleted, then the file can’t be found so the JWT can’t be validated. If everything is ok the public key is extracted from private key, validating the JWT. Thoughts?
@LilmeMusic
@LilmeMusic 2 жыл бұрын
JWT's dont hit the database, no need to waste your time. We store nothing on our servers and database, if we did there would be no point, we would just go back to sessions. JWT's are secure enough, dont worry
@ITheAvengersI
@ITheAvengersI 4 жыл бұрын
What firebase uses for authentication ?
@Fireship
@Fireship 4 жыл бұрын
You can do both with Firebase, but it defaults to token-based
@andrewding746
@andrewding746 4 жыл бұрын
@@Fireship How would we know if it's token or session?
@danielbrambila7018
@danielbrambila7018 4 жыл бұрын
Love your vids, super clear super fast hehe
@ShilohFox
@ShilohFox Жыл бұрын
Absolutely wonderful explanation! Thank you for this video :)
@LimitedWard
@LimitedWard 4 жыл бұрын
I still don't understand how tokens solve the storage issue. What aspect of the JWT uniquely identifies the user? Edit: I get it now. JWTs are cryptographically signed. So the server just decrypts and validates the token data
@benamato2880
@benamato2880 2 жыл бұрын
you can also store whatever user data you want inside the JWT, which is handy and saves on traffic
@TheScoobysteve
@TheScoobysteve 2 жыл бұрын
So I've been working in my first programmer job for about two months now. Anytime I have a 'Hello, World! ' moment the very first place I look is always these 100s explanations.
@nothingnoone8752
@nothingnoone8752 4 жыл бұрын
Dang this channel is _really_ good.
@googleuser9422
@googleuser9422 4 жыл бұрын
Thank you! I was needing this
@huh_wtf
@huh_wtf 4 жыл бұрын
this was ao perfectly timed for.me...i actually came for a video like this
@macoshev9774
@macoshev9774 3 жыл бұрын
The best channel !
@jbraat
@jbraat 4 жыл бұрын
Your videos are great. Thanks dude.
@Flynn1411
@Flynn1411 4 жыл бұрын
Your videos are superb!!
@brawnie3969
@brawnie3969 5 ай бұрын
Good video, I liked the explanation
@jamesfoo8999
@jamesfoo8999 2 жыл бұрын
Unfortunately if you want to use JWT with some level of control over invalidating tokens and logins, you have to store them in DB with an expiry and/or disabled column, and then you app needs to lookup the DB row to check the token is still valid/enabled.
@ggar493
@ggar493 2 жыл бұрын
what about storing some info in the JWT claims section? Is it a good idea?
@jamesfoo8999
@jamesfoo8999 2 жыл бұрын
​@@ggar493 You could, such as the hashed password and when a token is reported to be stolen etc change the users password and then hashed password in token wont match hashed password when you check it. However, whatever you put in the token you have to check on every request, the same as storing it in the DB with a "valid" column. The DB approach is simple and more likely for devs to understand. Also, the info in a token would have to be sensitive to the user somehow, then you're sending sensitive info around the net, encrypted or not it should be avoided, as this is a primary reason for tokens - authenticate with sensitive data once then use the token.
@sagnikpradhan3594
@sagnikpradhan3594 4 жыл бұрын
Needed longer version for this
@yt-sh
@yt-sh 10 ай бұрын
Thank you for making this video!
@mttni
@mttni 4 жыл бұрын
Maybe this is one of those topics where the "... 100 seconds" format doesn't work, the limitation of time doesn't expose all of the important facts about both authentication You make look like tokens are more secure and practical than sessions while there is much more to be said on pros and cons of both to let the developer really understand which one it's better for the job, I still think both methods can be used for different types of authentication.
@metallicadead
@metallicadead 2 жыл бұрын
Ha, funnily enough i’m currently in the middle of creating a mock shopping site coded with javaEE as a group project for school using JsessionId and running the Jdbc to access an SSMS database, and I was just wondering if there was another way to do identification to allow the management of a large amount of traffic. Perfect timing, KZbin, and thanks, Fireship!
@craft5875
@craft5875 4 жыл бұрын
Typescript in 100 seconds. Anyways, Your content is really useful.
@kodiak9664
@kodiak9664 4 жыл бұрын
So do tokens typically use symmetric or asymmetric key pairs to validate the signatures? And either way, the server still has to generate unique key pairings for each token and then store the private key doesn't it? But that's still more efficient that storing sessions IDs?
@AdroSlice
@AdroSlice 3 жыл бұрын
I think the server only has one private key, but honestly I have no fucking clue.
@ben.pueschel
@ben.pueschel 2 жыл бұрын
The idea is that you have one key pair for all of your tokens that you might want to swap relatively frequently. Anyone could then validate the generated tokens but only the server could generate them. With purely stateless tokens the server would only need to check if the signature matches (but you might want to store revoked tokens in a database to handle revoking access) and then authenticate whatever user is specified in the token itself. The server doesn't need to keep track of all the sessions and only has to validate if the signature is valid or not. You should never use symmetric encryption in that use case.
@tyc00n
@tyc00n 4 жыл бұрын
underrated topic but very important
@Alex-uf2ie
@Alex-uf2ie 4 жыл бұрын
What vscode for js does Fireship use in their tutorials?
@xiaotongyang6890
@xiaotongyang6890 3 жыл бұрын
is there a coupon for the websecurity academy?
@JanasV
@JanasV Жыл бұрын
What's a better form of authentication and authorization? Preferably one that can be implemented in Java or Spring Framework
@Penguinz-fr1mu
@Penguinz-fr1mu 3 жыл бұрын
I was just wondering this today omg!
@Wakkyguy
@Wakkyguy 4 жыл бұрын
Can I get a link to the playlist of your background tracks?
@danko95bgd
@danko95bgd 4 жыл бұрын
Can you make a video on casbin (authorization policy) lib. It's available in many languages and it would be nice if you could explain it, maybe even create few routes for demonstration.
@buka.a
@buka.a 3 жыл бұрын
which one is more safer to use??
@nodidog
@nodidog 4 жыл бұрын
I think your audio would benefit from a de-esser plugin. Great video as usual, though 👍
@oitan
@oitan Жыл бұрын
why not store jwt in cookie instead of local storage. Isn't it safer?
@fred.flintstone4099
@fred.flintstone4099 Жыл бұрын
Sure, but if you're going to use cookies, then you don't really need JWT tokens.
@juliusgrybauskas7643
@juliusgrybauskas7643 2 ай бұрын
@@fred.flintstone4099 well if you want stateless auth you still need some sort of token, since we need to somehow verify that token is valid
@ztest2975
@ztest2975 4 жыл бұрын
Please, create a video about OAuth authorization. Thanks in advance !
@S3Kglitches
@S3Kglitches 2 жыл бұрын
You should talk about that tokens and cookies stored privately from other websites etc. this would explain how an attacker can hijack the JWT - basically only copy it from the machine physically (except man in the middle attack where he can read HTTPS traffic)
@XoLucyna
@XoLucyna 2 жыл бұрын
It was really great and quick video but i've got some questions, when the server creates the session in the database does few or some services creates an expire time? like can the session be expired or invalid after 1 hour or after the defined amount of time? or sessions don't have any expire rate?
@gabrielpfgm
@gabrielpfgm 2 жыл бұрын
Would love to see content on DPoP and mTLS
@nabiisakhanov3522
@nabiisakhanov3522 4 жыл бұрын
Hooray new video!
@SamarthCat
@SamarthCat 2 жыл бұрын
Even though I *should* use the Authorization header, I don't. I just slap on a ?token= to my request and boom, job done!
@videomakville
@videomakville 2 жыл бұрын
What's the "vice versa" for "use the right tool for the job"? "Use the right job for the tool"?
@pancho3322
@pancho3322 3 жыл бұрын
As I got from the video; Sessions are recommended for web applications, and tokens are better for mobile applications, right?
@NIKHILVERMA-xr7lc
@NIKHILVERMA-xr7lc 3 жыл бұрын
production content in 100 seconds!!
@onionware1
@onionware1 Жыл бұрын
Don't forget to save a timestamp, when the user changes its password. Then check if the JWT was issued AFTER that timestamp. Otherwise, a hacker can steal the JWT and can still login, even when the user changed his password after he recognised that his account got hacked!
@user-vg7zv5us5r
@user-vg7zv5us5r Жыл бұрын
0:30 So cookies are like autosaves?
@ctfries1049
@ctfries1049 4 жыл бұрын
Can you do Yarn/NPM in 100 seconds?
@mohammadtanweerahmed3636
@mohammadtanweerahmed3636 3 жыл бұрын
I didn't het the part "it just have to verify the signature" so nothing stored on database. The token is sent with prefix Bearer what does token consists of ?
@patrickmullot73
@patrickmullot73 4 жыл бұрын
Thumbs up from Bartosz for his great work!!
@DevAcademyCom
@DevAcademyCom 4 жыл бұрын
Thank you :D
@teamgartz-motorsports6881
@teamgartz-motorsports6881 Жыл бұрын
Would be nice to include web authn to the comparisons. As it kinda mixes both.
@MegaQseft
@MegaQseft 4 жыл бұрын
May i ask which software you use to make your videos?
@SunilSkanda
@SunilSkanda 4 жыл бұрын
Go to his personal channel - Jeff Delaney, I think, where he has a video on this.
@gabimoncha
@gabimoncha 2 жыл бұрын
So what's the best way of authentification then?
@marcinkarbowniczyn9226
@marcinkarbowniczyn9226 6 ай бұрын
One question, can we say that using JWT is more stateless than using regular Tokens (like Django Tokens)? What I mean is, when we use regular Tokens we store them in the database. Every time there is a request with a Token in the header, we seek for it in the database and return a user connected to the Token. On the other hand, JWT may only store an ID of the user, so when the JWT is being sent, we decode it in our code and query for the User to the database. Do I undarstand the processes correctly? I also don't fully get it how JWT would be more efficient in larger apps, even though in both approaches we make queries to the database.
@gustavoshigueo
@gustavoshigueo 3 ай бұрын
Imagine a logged in user wants to save a post. They send you the post's text and the authentication data, for a session, that'd be a session ID. To save the post you need the user's ID, so you query the DB for "Which user does this seesion belong to?" and then you are able to create the post with the ID. With a JWT, you just verify the signature and decode it. The JWT already contains the user's ID, so you can immediately use it to save the post. You only need to hit the database for user info when their id isn't enough, e.g. getting the username. But it's still slightly faster than a session, because that'd envolve a JOIN
@nicetomeetugaming7024
@nicetomeetugaming7024 2 жыл бұрын
Amazing video sir!
@janoglezcampos
@janoglezcampos 3 жыл бұрын
Im storing the JWT token on cookies with some user info (an user ID basically) on the service im developing, do you think that's secure enough?
@PaperBenni
@PaperBenni 3 жыл бұрын
Stupid question, can't the server also sign cookies?
@GaneshGfx
@GaneshGfx 4 жыл бұрын
I'm literally thinking thinking about Token, Thanks for this Video 👍
@zugdsbtngizudsgbnudsdsoiu
@zugdsbtngizudsgbnudsdsoiu 3 жыл бұрын
Its basically the same because the session is also a token and the cookie is sent as an http header so who cares if its cookies or authorization. You can also use JWT tokens and implement your own session handler to achieve stateless sessions. They dont contradict each other. Also stateless with JWT works in theory but if you have to revoke a token before it expires you have to store it. To my understanding if you have a 1 hour access token and ban a user in the worst case at minute 1 he has 59 minutes left to do harm.
@DarkWaffle56
@DarkWaffle56 2 жыл бұрын
That’s why I am storing my JWTIDs such that if the user changes password or if I want to revoke his session(s), then I can. Without storing the JWTIDs I wouldn’t be able to manually revoke his tokens without waiting for the expiry time of each of his tokens. The con is that I have to query the database for every API request. Oh well, nothing is perfect lol, but this works for my company’s app
@bopon4090
@bopon4090 4 жыл бұрын
if ssl is not implement then jwt token is vulnerable right?
@Hsa008
@Hsa008 4 жыл бұрын
Which software is used to make this animation?
@Natewu188
@Natewu188 3 жыл бұрын
How does discord's token authentication work?
@sitri2727
@sitri2727 3 жыл бұрын
discord uses authentication tokens that dont change or expire,and they can be stolen,they change only when password is changed.
@carlotadias9335
@carlotadias9335 2 ай бұрын
Hello, what do you mean that token are managed on the client ? Are they not produced in the server ? I didn't understand this last part. Thank you for the video, 0.75 speed to be able to follow.
@AAA79797
@AAA79797 Ай бұрын
they are created on the server and and sent to the client, then the client stores them in local storage and the server in db etc.
@carlotadias9335
@carlotadias9335 Ай бұрын
Thank you !
@basira7580
@basira7580 4 жыл бұрын
Nice content as always :D!
@volodymyr7214
@volodymyr7214 2 жыл бұрын
What about storing JWT Token in cookie?
@connorallen162
@connorallen162 2 жыл бұрын
I didn't realize client-managed state was the point of tokens. I've been generating tokens and saving them in the database. I guess just using the token like a cookie? It's worked fine for small stuff though
@ahmedraed8645
@ahmedraed8645 3 жыл бұрын
awesome as always but the music is too loud
@rezakamali-n8d
@rezakamali-n8d Жыл бұрын
so here is the question both session and token are stored on client side - then browser will send both of them as header, can someone explain how session is manipulated server side ? cause i don't get the last part of this video
TypeScript in 100 Seconds
2:25
Fireship
Рет қаралды 912 М.
What Is JWT and Why Should You Use JWT
14:53
Web Dev Simplified
Рет қаралды 1,2 МЛН
Session Vs JWT: The Differences You May Not Know!
7:00
ByteByteGo
Рет қаралды 305 М.
100+ Linux Things you Need to Know
12:23
Fireship
Рет қаралды 1,5 МЛН
Is Web3 all Hype? Top 10 Web 3.0 Questions & Answers
9:29
Fireship
Рет қаралды 987 М.
Difference between cookies, session and tokens
11:53
Valentin Despa
Рет қаралды 670 М.
How to Roll Your Own Auth
13:05
Ben Awad
Рет қаралды 124 М.
JavaScript Cookies vs Local Storage vs Session Storage
14:28
Web Dev Simplified
Рет қаралды 768 М.
What is JWT? JSON Web Tokens Explained (Java Brains)
14:53
Java Brains
Рет қаралды 1 МЛН
OAuth 2.0 explained with examples
10:03
ByteMonk
Рет қаралды 171 М.