Large Session Tokens

1. What is the difference between session and token?
2. Are sessions better than JWT?
3. How do session tokens work?
4. Can JWT be used for sessions?
5. Where are session tokens stored?
6. What is session in REST API?
7. How long should a JWT token last?
8. How long can a JWT token be?
9. Should JWT tokens expire?
10. Where are refresh tokens stored?
11. How is token generated?
12. Is it safe to store access token in cookie?

What is the difference between session and token?

However, it is worth noting that token based authentication scales better than that of a session because tokens are stored on the client side while session makes use of the server memory so it might become an issue when there is a large number of users using the system at once.

Are sessions better than JWT?

Token Based Authentication using JWT is the more recommended method in modern web apps. One drawback with JWT is that the size of JWT is much bigger comparing with the session id stored in cookie because JWT contains more user information.

How do session tokens work?

Session tokens serve to identify a user's session within the HTTP traffic being exchanged between the application and all of its users. HTTP traffic on its own is stateless, meaning each request is processed independently, even if they are related to the same session.

Can JWT be used for sessions?

While the use of JWTs for OAuth is widely accepted, its use for authenticating users sessions is controversial (see this post). In this article, I will attempt to make a comprehensive list of the pros and cons of using JWT for this context.

Where are session tokens stored?

The token is stored in either local-storage or session-storage on the client-side. Subsequent requests to the server will include this token, usually embedded in the header in the format of bearer-JWT-token

What is session in REST API?

Each REST API call by a client is associated with a web service session. A session is created when client calls Login API and stays active until it times out or is logged out. When the session is created, a session ID that looks like a GUID is generated and assigned to it by the server.

How long should a JWT token last?

JWT Token has an expiration of 2 hours. The token is refreshed every hour by the client. If the user token is not refreshed (user is inactive and the app is not open) and expires, they will need to log in whenever they want to resume.

How long can a JWT token be?

Each of these can be at most 8KB in length, but together can be more than 8KB in total. Requests containing a request line or header line longer than 8KB will be dropped by the router without being dispatched.

Should JWT tokens expire?

The JWT access token is only valid for a finite period of time. Using an expired JWT will cause operations to fail.

Where are refresh tokens stored?

Access token and refresh token shouldn't be stored in the local/session storage, because they are not a place for any sensitive data. Hence I would store the access token in a httpOnly cookie (even though there is CSRF) and I need it for most of my requests to the Resource Server anyway.

How is token generated?

In Windows, an access token is represented by the system object of type Token . An access token is generated by the logon service when a user logs on to the system and the credentials provided by the user are authenticated against the authentication database.

Is it safe to store access token in cookie?

Local storage is vulnerable because it's easily accessible using JavaScript and an attacker can retrieve your access token and use it later. However, while httpOnly cookies are not accessible using JavaScript, this doesn't mean that by using cookies, you are safe from XSS attacks involving your access token.