00:00 Introduction 5:08 HTTP-Cookies 06:49 Session-IDs to add more trust to cookies 09:20 Problems with Session-IDs when having multiple servers in parallel - shared cache - distributed cache - sticky sessions 15:29 Json Web Tokens 15:53 "Cockies" vs "Session ID" vs "JWTs" 16:43 Two kind of tokens - "by Reference" - "by value" 17:45 Authentication and Authorization with a JWT as Cockie 19:20 Structure of JWTs 26:13 Benefits of JWTs - simple load balancing (no state) 28:29 Signatures - symetric - asymetric 29:49 OAuth2 and OpenID Connect 31:26 Drawbacks of JWTs - Revokation - Same as SessionId - XSS Attacks 41:32 Other JWT applications - multi-part user forms - confirmation emails

Finally someone does know how JTW's should be used and is not talking shit about it like dozens of others here... thx Hubert

This is the best JWT explanation I've seen. I love your inclusion of CSRF as well.

He said that the drawback of JWT stored in cookies flagged as HTTPOnly is that you cant read the payload from JS. There is a simple solution for this problem. You can split the JWT into 3 parts (header, playload and the signature). Then you can set two cookies. The first one flagged as HTTPOnly will contains header + signature and the second one will contains only the payload and will not be flagged as HTTPOnly so you can read it from JS. XSS attacker can read or modify the payload, but thats ok, because he cannot access the signature, so the modified token will be invalid.

Merci pour cette présentation : the best JWT explanation and security issues that one can have.

Great explanation on the advantage of using JWT token vs Session IDs.

Really brilliant talk!

Very clear. Thank you!

Wonderful explanation .

Great. Well explained.

really interesting. thanks for sharing

awesome. thank you very much.

Very nice lesson

this is amazing

Great explanation

Amazing explanation of JWT and session persistence. One question though: At 43:10, you suggested using sessionID at API gateway. Does this mean that the API gateway will have some storage mechanism? If yes, then won't it have the issues that you had mentioned at 10:05 ?

- jwt cannot be compared to cookies, but can be to session id: session id - by reference, credit card, jwt - by value, banknote

Awesome talk, is this presentation slides available somewhere online?

Thanks for the simple explanation and entertaining presentation. It would be nice if you can clarify the following @ 29:30 you are talking about a "Security Provider" holding a private key in one of the servers and others holding the public key. Initially i thought that the info from all other servers will be served after an authentication check with the Security provider server BUT then i saw there are no connections between the servers themselves to the Security Provider. So 1. Is this some form of content segregation across servers where the authenticated users content and unauthenticated users content are kept and served separate to distribute the load ? If not can you kindly explain why there are no connection between the servers with the public key to the server with the private key ? 2. If all other servers rely on the Security provider server to let them know whether or not to server the content, then wont the Security Provider server will become the Single Point of Failure ? 3. Having a public key in cookie and storing the private key in the server to authenticate, How different is this from storing a session ID in the cookie and storing the session ID reference in the server to authenticate ? Pardon me if my questions are too basic (and for the long post), really appreciate if you can shed some light on these for my better understanding

That's funny. I also bought my first computer in 1994 - a Quantex P90. That was close to the state of the art for Wintel machines at the time. Not many weeks later Slackware was installed. :-)

Very nice, very clear, perfect. And as neighbour (i'm french), i like your french accent (but mine from south of french is also much more incredibly nicer, i promise). :)

amazing

nice explaination, which tools you used to create all the diagrams?

Awesome talk, debunked a lot of misconception I had about JWT and security

need to see it at 1.25x atleast, but good talk :)

There are two potential problems with this approach in my humble opinion..... Firstly using JWT means now I have a (JSON) data structure readily available on my client machines, in plain text (well base64 which is tantamount to plain text,) that perhaps contains sensitive application information that was previously only available to my web/application server. Secondly doesn't this violate SoC. Why should my clients even care about application state or contextual data? Shouldn't thin clients like web browsers be completely stateless and really only care about rendering and presenting TRANSIENT data returned over the scope of a GET/POST request. Perhaps I'm missing something, best practices seem to shift so fast in application architecture and thus it is entirely possible that the approach I've outlined is now considered to be a bit antiquated.

What prevents an attacker from reading my local storage, retrieving the sync token and then submitting a form with the cookie + that sync token and perform a CSRF attack?

nice

thanks for the amazing explanation on JWT. I have question here. suppose say the expiration of the JWT token is 15mins after its creation but the user logout/close browser just after 5 mins. Now, I need to destroy the created token. how can I do that. any kind of help is appreciated.

link to downloadable copy of slides pls?

Is this still valid in 2023 or should i consider any other vulnerability? Thanks and great lecture

Active subtitles recommended

can anyone help me how to implement jwt in microservice architecture?

Wow, did not remember the level codes of Lemmings

18:42 "I'm a cookie, what do I do?"

I didn't understand the use of asymmetric key. If the public key is leaked, I could still fake identities?

@kzbin.info/www/bejne/bGjQlq2BaLOtprc ,cant the attacker access the local storage get the csrf and then send a request on behalf of the authenticated user ?

Talk starts at 16th min.

even though session can be saved from single point of failure using jwt, an application needs to save lots of internal data in databases. what if they fail? If you can make them fail proof then there is no problem for normal sessions and no need for jwt

94' PC and screenshot from Windows XP - not cool ;)

It's amazing how the people reinvent the wheel with JWT claims and cookies. Setting the Path, Domain, Session ID already exist in RFC-7519 (iss, sub, aud, jwi).

95% of the room played Lemmings, really ?

This guy talks like Stan Wawrinka.

Why do we never start first talking about load balancer getting failed?

Might as well parler en français lol

SessionID is not an issue. Apple Music Store is a stateful application and it scales.