How are cookies different from JWT and why are they considered worse than JWT?

3
votes

I have been reading around using tokens for authentication. I, however, fail to understand how tokens (JWT) are different from cookies. Both will store the user info (as claims in tokens), have persistence defined and will be sent with each client request to the server.

Few questions that come to mind, in addition to the above -

  1. Are JWT tokens not prone to Man in the Middle attack? If someone steals a token (on an unencrypted channel), can't they pose as the original user? (unless we add the user's IP etc in the claims)

  2. I've read a few rants that cookies are not good for new-age mobile apps and tokens are the answer. Why?

  3. Why are tokens considered more secure than cookies? What makes them more invulnerable to attacks?

  4. Does a token needs to be issued by the server only, or one can receive a token from another OAuth provider and customize (add/remove claims) and reuse it?

  5. Performance wise, cookies are 'bad' as they have a size limitation, that is why they just store the session ID (typically) with session data in server. This reduces cookie size. But JWT, the whole token needs to be sent, so if the token contains the session data as claims, then we'll be essentially sending this ever increasing token every time. If am getting that correct, isn't that bad performance of JWT as compared to Cookies?

Thanks

1
authenticationcookiessession-cookiesaccess-tokenjwt
First question is comparing apples to oranges. Cookie is just a storage and transport mechanism. Token could be stored in a cookie. - Mika Tuupola

1 Answers

4
votes

Are JWT tokens not prone to Man in the Middle attack?

Yes, you should use HTTPS to ensure that no one can see the JWT in the HTTP request headers. If someone gets the token, they can pose as the original user. The same thing is possible with cookies.

I've read a few rants that cookies are not good for new-age mobile apps and tokens are the answer. Why?

Most mobile apps don't use browsers to make HTTP requests. Browsers make dealing w/cookies seamless for web developers. For mobile developers, using JWT's can be less cumbersome than dealing w/cookies.

Why are tokens considered more secure than cookies? What makes them more invulnerable to attacks?

Tokens aren't necessarily more secure than cookies (a cookie could be signed, just like a JWT). The security benefits come from not being exposed to exploits which trick the browser into inadvertently using the cookies (CSRF attacks).

Does a token needs to be issued by the server only, or one can receive a token from another OAuth provider and customize (add/remove claims) and reuse it?

A JWT is signed with a secret that only the server/organization that generated it should know. So only servers that know the secret can verify the token is valid. While the server that generates the token doesn't have to be the same one that validates it, it doesn't make sense for you to customize and re-use someone else's token.

Reference