I wish my architect was this good at explaining stuff. You are awesome!

Good video. Just wanted to mention that JWT stands for JSON Web Token, so it's redundant to say JWT token - you're basically saying 'token' twice. Cheers!

@staplepin8099

3 жыл бұрын

lol he still says no demon for nodemon lol node monitor

@DioArsya

3 жыл бұрын

@@staplepin8099 nope, it's nod emon for sure

If it is really JWT vs Session I recommend you change your title because I've been looking for this for months.

Probably it was worth to be mentioned: usage of tokens (which is _usually_ the case when you go for JWT) vs cookies (which is _usually_ the case when you go for sessions) allows you to not bother about CORS etc.

you make the information so easy

@peterm.souzajr.2112

5 жыл бұрын

i have only used sessions so far on my projects, i love the hard control of it.

I love this kind of tutorials! thanks ben

Really cleared up when and why to use which one for me.

8:00 is how I feel but /dev/null's comment about refresh tokens is also correct.

i cant remember the last time i commented on a video (maybe like 9 years ago), but i just had to cos when i finished watching ur video and saw your name, i was shocked HAHAHA, i saw u q a few times on tiktok but i didnt know u had a youtube channel!!! anyways, im doing some pen tests on jwt, and this video really helped!! especially introducing that jwt website haha i gs ill follow ur tiktok now

Hi Ben, Thanks for the discussion about pros and cons of JWT vs Cookies. I think you have covered the really important ones. Personal i use cookies and sessions for most of my projects. The main reasons for me are the ability to keep data server side and private and to allow multiple sessions and login across devices which can be invalidated at any time like a password reset or logout. I worry about JWT and security as the data your sending is really vulnerable. Say i copy out a JWT from a web browser someone else is using and decrepit it to read that individuals data. That feels so risky and i don't think big tech companies use JWT for mission critical data transfer for their Apps. I might be wrong but i've only really seen them use cookies...

@bawad

5 жыл бұрын

I agree, I see most companies using cookies too

@alexnezhynsky9707

5 жыл бұрын

You could make JWT cookie HTTP-only and Secure. Also maybe only deliver a small portion of data in the token payload

@alexnezhynsky9707

5 жыл бұрын

Also, sessions are prone to the same problem. If you steal someone's session ID cookie, it's game over, because you can now impersonate them. If it's JWT, some of the data is already in the payload. If it's a session ID, all you have to do is to send it along with your request, and you can get any data you want. There's no 100% bullet proof auth. That's why Google for ex. incorporates IP and user agent verification, along with 2-factor auth, to alert the account owner of any suspicious login activity.

@DrPanesar

5 жыл бұрын

HI Alex, that's true and really great run through. I wonder if sessions could link with the IP or signature of the device so that it could spot if its copied to another device or browser? i'm no expect when it comes to security so would be interested in peoples thoughts with this. It would be great to see how we can achieve best security as devs without the resources that google or larger companies have... appreciate that might be asking for the impossible. :)

@achillles6838

2 жыл бұрын

What about mobile application can cookies be still used?

Can you create example tuts using redis to store sessions and use it to authenticate two servers. Thanks

@bawad

5 жыл бұрын

kzread.info/dash/bejne/o3eis8mTqtKvfbA.html That shows you how to set everything up, then you can have it use redis with: github.com/tj/connect-redis That'll work for as many servers as you want. They just all connect to the same redis instance.

I am a fan of jwt but it is less secure, in compare with session, till someone can still jwt token from local storage and expire time can not save you. But to pros of jwt I can say, session can not be using in other domain.

I use jwts and I dont know why would a send a lot of data using jwt. I create jwts only using a particular id.

i need some help. Im doing a short course and im not that good. My task was to go right click on the padlock on the left of the site address (next to the https//) then to click on cookies, expand it and then click on 'token' but now all of a sudden my 'cookies and site data' tab is not expanding anymore and i cant obtain a 'token' it was fine earlier . i am using chrome and firefox and its not working now. It was working earlier on the day. i would be very grateful for some help from anyone

Hey Ben, this video helped me decide to choose session over JWT. There are two points I'd wish you mentioned that are: - JWT should not be stored in the local storage because it makes your app vulnerable to xss attacks. - Apollo client doesn't always persists the session in a cookie. I still haven't been able to make it persist even if it is attached to my request.

@bawad

5 жыл бұрын

Apollo client works with cookies for me once you set credentials to include

@caliarmut5127

5 жыл бұрын

@@bawad I've updated my version of Apollo Boost and changed same-origin to include and it works perfectly now ! You're amazing Ben Sensei !

Thanks Ben. Really helpful

Hi Ben, what software are you using there for the diagrams?

Very good video. Its really helpful

What is your suggestion for anonymous users? I need a way to keep track of anonymous users who i am allowing to do limited operations on my site. but not sure how to treat non registered users.. I could fingerprint them, but i would rather create a userid in mongo jwt may be overkill as they dont have passwords.

Hi Ben, just want to know your choice. Suppose you have an e-commerce site that uses REST API and a react frontend, which one will you choose to use? Basic JWT or Cookies?

@bawad

5 жыл бұрын

Cookies

@jindon27

5 жыл бұрын

OK.. Seems like I need to learn more on authentication with cookies then. Thanks

@jindon27

5 жыл бұрын

One last thing, have you tried strapi.io? How do you feel about it? Will you ever want to do a tutorial on it? Seems like no one is covering that.

@Lessep922

5 жыл бұрын

I tested strapi and seems like a project with a good future but still a bit buggy. The way to implement some stuff is not well documented either as the base (alpha yet) is changing constantly. Give it a try and you'll see

@jindon27

5 жыл бұрын

@@Lessep922 I have tried it. I am currently working with it. I have deployed and currently testing it using a dokku instance in digital ocean. Didn't see any content creator covering it as of now like a tutorial or so, so I was curios what Ben felt about it.

What's popular method for user authentication and authorization, like in Facebook Google etc? Also how does jwt compares with Oauth etc?

@bawad

5 жыл бұрын

The most popular methods I see are using sign in with facebook/google/github/twitter/etc or rolling your own auth with email/password with sessions or jwt jwt is usually used in oauth

@shafu_xyz

5 жыл бұрын

@@bawad So how companies like facebook, google etc implement their auth, is it JWT or session? Or much more complicated than that? also how OAuth 2.0, OpenID compare with JWT?

@bawad

5 жыл бұрын

I'm not sure what they use

You didn’t mention refresh tokens.

@bawad

5 жыл бұрын

yeah those are a consideration if you pick JWT

@rtorcato

5 жыл бұрын

i think it's a must. with JWT tokens are usually set for a long time and refresh tokens are in minutes. If you don't have refresh tokens setup and you have a blacklist the user can stay logged in for days, weeks or months depending on the date for your token to expire. That actually turned out to be a problem with Ring doorbell system. If a couple split up or they just wanted to change a password to their account the spouse or whoever still had access could still spy on them until the token expired.

@bawad

5 жыл бұрын

makes sense

Where will you store the refresh token in the client? If it's stored in local storage, isn't it insecure, per se? Doesn't it mean a hacker can perform an XSS attack and get the refresh token? Which means, the hacker can use the refresh tokens to generate access tokens as much as he wants. What am I missing?

@vaibhavgupta166

2 жыл бұрын

Usually we use refresh token in native apps wherein they can be stored within OS secure storage that can't be hacked easily. These tokens then can be used on successful bio metric authentication to fetch access tokens. I didn't see similar flows in web applications.

Thanks this is great Under 10 minutes and I really understand what you say, although you speak like nonstop

how about encrypting the jwt then sending it to the client, store it in a cookie, then send it back to the server whenever you need to access some data. (it will be decrypted in the server again)

@renstillmann

4 жыл бұрын

Totally fine to do that, but what's the point you could ask yourself. Are you using it for authentication? Then don't use JWT at all. Some even store it in localstorage of a browser... JWT has it's usecases for sure but authentication isn't (in almost all cases) a good choice. Just encrypt data server side and store it as a cookie with flags "httponly" and "secure" (for security reasons) I won't go into details here.. Just make sure that the algorithm is bcrypt or if you know what you are doing use another one (be careful though and do your research). Most importantly is that you will still want to make sure that you store and expire that "token" (cookies value) on your server. That way even if the cookie was stolen (totally possible) the session would be valid for a limitted time. You can then ofcourse incorporate some sort of refresh methods to, that way only an authenticated and currently active user will be able to refresh (get a new token) this the more frequent you would refresh the pair the more secure it could become, let's say in theory that a "hacker" can see your cookies, if you'd refresh the cookie token every 10 seconds, the "hacker" wouldn't even be able to copy paste that token in the first place (manually speaken). Personally the expiry time of the toke should be based on what application it is for. Highly sensitive info and Low traffic? Put it as low as possible e.g: 1 to 5 min. You can refresh token every 10 to 120 sec. For less sensitive info a good starting poit would be 15 min. and refresh every 5 min. Please just google why JWT is not a good method for authentications, and why cookies is the way to go (still).

I decided to use sessions instead of JWT tokens. However, if I set the security flag httpOnly. I can't read the cookie set by Express. How do you handle this within your Angular apps without giving up the security that the httpOnly flag gives you?

@erikawwad7653

3 жыл бұрын

If anyone has this problem, set the secure field of the cookie to false

@michelestieven3960

3 жыл бұрын

@@erikawwad7653 lol Nope, don't do that... Those flags are *needed* for the process to be secure. You don't need to read the cookie from your front-end, it shouldn't even know it exists. That's one benefit of sessions, it makes authentication pretty simple and transparent. If you want to get info about a user, hit a "/profile" endpoint and get the data. If you get an error, your session has probably expired and you should redirect to the login form.

@erikawwad7653

3 жыл бұрын

@@michelestieven3960 Yeah I must have been half asleep at 4 am I dont know why I would say something so stupid

Thanks

Great video

Thank you. Really good and visual explained. Now I understand the difference. Can you please make also a difference to OAuth2?

very nice video. Thank you.

JWT validation is not being with secret key. Anyone who has public key of the JWT issuer can validate it. No secret key is involved in validation. It is just one the benefit of using symmetric key.

what about which one is more secure in terms of CSRF attacks

@bawad

5 жыл бұрын

Both methods can be persisted with cookies or localstorage. I go with cookies, and that is vulnerable to csrf

Thankyou! is there a concern with xsrf? im not too sure on these things

@bawad

5 жыл бұрын

there can be with cookies, I'll be making some videos on this in the future

noice

final thoughts: It depends.

@edwingarcia5043

2 жыл бұрын

After gaining more knowledge about sessions and JWTs, I can confirm that, it still depends. Nonetheless, doing sessions seems a pretty good start when learning about authentication and session management.

ah when his content was actually good

i dont know why the people put videos with diagrams, we need real code. Only real code examples can make others can real use it and understand.