We use tokens to identify resources and try to ensure data security in insecure environments, however the management of these tokens can get quite complex. When we have distributed environments things are harder to deal with. Come to the magical world of JSON Web Tokens and make your life simpler!
6. Browser
Server DB
1. presents credentials
2. validates and starts a session
200 OK
Set-Cookie: PHPSESSIONID=ABC123;
Domain=foo.bar; Secure; HttpOnly;
Expires=Thu, 1 Jun 2017 12:00:00
GMT
7. Browser
Server DB
1. presents credentials
2. validates and starts a session
200 OK
Set-Cookie: PHPSESSIONID=ABC123;
Domain=foo.bar; Secure; HttpOnly;
Expires=Thu, 1 Jun 2017 12:00:00
GMT
8. Browser
Server DB
1. presents credentials
2. validates and starts a session
3. sends cookies on next requests
GET /
Cookie: PHPSESSIONID=ABC123
9. Browser
Server DB
1. presents credentials
2. validates and starts a session
3. sends cookies on next requests
4. reads session data and returns a
specific response for logged user
200 OK
Hello John!
10. “ (…) Each request from any client
contains all the information
necessary to service the request, and
session state is held in the client.
Representational State Transfer - Wikipedia
37. 1. presents credentials
2. validates and creates a token
Client
API
- issuer: auth.example.com
- permitted to: client.example.com
- expires in 300 seconds
DB
39. 1. presents credentials
2. validates and creates a token
3. sends the issued token
GET /
Authorization: …
Client
API DB
40. 1. presents credentials
2. validates and creates a token
3. sends the issued token
4. verifies the signature, validates the
claims and processes the request
- is it valid?
- client allowed?
- expected issuer?
- can it be used at this moment?
Client
API DB
47. !
1. cannot store private information
in the session
2. sessions cannot be invalidated
3. increased network traffic
4. race conditions with highly
concurrent HTTP requests writing
to session
5. limit on the amount of data
stored in session