Which method to use to log a user (JWT cookie vs SESSION)

Asked

Viewed 465 times

1

So, my doubt is the following, which is the best method to create a login "session" for the user.

I learned to create this session using JWT in cookie, however the cookie is accessible by the browser, and there is some information like the 'id' user that I use to give some SELECT on the website.

I did validation, I even put up an encryption a friend sent me, which made it safer to just use Base64.

But I can do the same thing using SESSION.

What is the best method to create this "logged in" status and why?


I ask this question because I want to learn the easiest method for the server, and the safest, I don’t feel as comfortable as letting the user access the information in the cookie.

  • 1

    Your question has been answered here: https://answall.com/questions/115190/qual-a-diferen%C3%A7a-entre-Sessions-e-cookies, here: https://answall.com/questions/38920/o-que-guardar-uma-sess%C3%A3o-login? Rq=1, here: https://answall.com/questions/33664/remin-usu%C3%A1rio-com-segura%C3%A7a? Rq=1, here: https://answall.com/questions/3571/qual-a-bestmaneira-de-cria-um-systems-de-login-com-php?noredirect=1&lq=1, and perhaps several other questions in the session "Related" on the right side of the question (and that was suggested to you when opening it, but you did not read).

2 answers

2


Good morning buddy, SESSION is managed by PHP. there is no need to encrypt as Session data is not available in the browser.

However I advise you to keep JWT and not use SESSIONS. The SESSION is tied to the client’s IP and the server, this currently leaves you limited, for example, if your client is using a mobile phone and he changes network (3G for wifi or 3G for 4G) his IP will change and thereby lose the SESSION, and you need to request a new login for it. Another situation is this, let’s assume that your client has logged on to the server that is in Brazil but you need to redirect it to another server that is in the US, in this case if you are using SESSION the US server will not have access to the data of SESSION, already if you use JWT yes.

JWT is more modern and has emerged to solve these problems that existed with SESSIONS.

Use strong encryption on JWT, if possible force your client to use HTTPS and not accept requests over HTTP, because it is useless to use strong encryption on JWT if it can be intercepted at HTTP. If you need to use HTTP for security it is best to perform validation of your client’s IP and use fingerprint techniques (https://amiunique.org on this website you may know about fingerprint ).

  • 1

    Yes, the friend who taught me about sent me a class to fetch the browser version, so I check if IP is the same, and if the version is the same as the token validation. You helped me a lot, really did not know these problems with Session, thank you very much.

  • "SESSION is tied to the client’s IP, "the PHP pattern ties to the cookie, not the IP...

0

There are several problems with JOSE (JWT, JWS, JWE...), but I will mention external topics (like this article and this other) since this was not the initial question.


I will focus only on your question of:

"I want to learn the easiest method for the server".

Well, using JWT/JWS you will possibly use derivative (such as HMAC) or signature cryptographic algorithms (such as the archaic ECDSA using P-256). After that you’ll make one SELECT * FROM ..., as mentioned. Summary: Fast this is not! It is obvious that to realize a single SELECT * FROM ... would be faster.

"and the safest"

If you use a session identifier with a uniformly-random value (such as the random_bytes(), or session.entropy_file = /dev/urandom in the case of standard PHP). If you use TLS/HTTPS and the cookie is identified to only traffic using TLS (using the session.use_only_cookies = 1 in standard PHP)... JWT has no security addition, in fact it can be even worse, after all how does a session end? The JWT was created to be valid forever. If you add other identifiers to this, requiring a global-state, you’re killing one of its purposes.

  • It is up to the backend to control the expiration date of a JWT. even you can use different value for each JWT (for example if it is HTTPS keep JWT for 24 hours, HTTP 30 minutes) against starting the SESSION has fixed term in PHP regardless of method.

  • @Márciorossato is not an expiration date. When you change your password you are expected to have all authorized sessions removed. However as it says: "as the 'id' of the user I use to give some SELECT on the site", so a properly signed JWT will forever be valid for that user. If you add other things, like a "session id" and do a "SELECT id_user WHERE id_sess = ?" , half the purpose of JWT is gone, could remove it and make the SELECT direct. If read-only is a problem, just a hash(id_sessao) to search, and the user has pre-image of the hash.

  • But changing the password also doesn’t "kill" a SESSION. Maybe we’re talking about different situations. I believe that what you imagine of JWT is different from what I think. Maybe the same happens when we talk about SESSION. Anyway, I believe that the same feature that is used to "kill or validate" the SESSION when the user exchanges the password can also be applied in JWT.

  • @Márciorossato, can be applied, but kills the purpose of JWT. JWT is made so that such a session is validated only by checking the signature/derivation of JWT itself. If you require other mechanisms to validate, what is the point of using JWT in the first place? None. If you add other validation data within JWT you can simply remove JWT... In the case of PHP default you can give a unlink in the briefcase there tmp using the session id previously associated with the user, if you use the default. If you are using the session_set_save_handler you already have one destroy() for such.

  • the sense of using JWT are the 2 that I quoted in the answer, allowing mobility on the client side and on the server side. Now, if the application runs in a local environment, vpn, intranet or something like that. I believe that it makes no sense to invest in JWT even not. use the Sesssions which is easier.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.