Рет қаралды 24,494
I've often seen hate for JWTs online, but never really understood why they we're seen as badly designed and insecure. So I did some digging and came to my conclusion. Which is that JWTs are a good method of authentication, but bad session tokens.
Basic opaque session tokens are usually the way to go. Using stateless tokens has many added costs, while not providing that many benefits in practice.