DEV Community

Discussion on: How I Fixed JWT Security Flaws in 3 Steps

byrro profile image
Renato Byrro Author • Edited on

We're getting way way beyond the purpose of my article, but let's cover it quickly.

I see there are maybe some conceptual confusions.

When api.domain.com sets a cookie, it doesn't need to be available for domain.com. When domain.com fires a subsequent request to API, the cookie will be sent along with it. It's the API that needs the JWT, not domain.com. This can work if you set the API to accept CORS.

What I mean is that a session uses a cookie the same way its proposed for JWT to use it. Obviously they are different implementations.

The problem with sessions is not encryption, but what can be extracted from them. JWT can store minimal user object, so that API doesn't necessarily have to reach a database for that.