2021 December 28

Authorization: JWT > Cookies

The holidays got me thinking about cookies a LOT, so I wanted to write about cookies on the web. Enjoy!

Can You Trust Cookies? 🍪

When a client established a connection with a server, the server would set a cookie to remember for the future. Cookies were "great" because they were stored persistently in the user's browser. So what's the problem? Whale 🐳 the key word is 'persistent' and there weren't restrictions on how a cookie could be stored, updated or shared - which gave way to all sorts of nefarious possibilities, such as Cross Site Request Forgery (CSRF).

So imagine if something private or sensitive was stored in a cookie. The browser will automatically send your cookies over to a server or on the client side, something as simple as document.cookie can parse that information for other purposes unintended...

So the name 'cookie' may sound like something sweet, you should never accept cookies from a stranger. But all of this happen without the user's awareness or consent. Recently browsers have cracked down on this by restricting setting cookies, good against those with malicious intentions but disruptive to everyone else.

Cookie Monster is sad

On the server side, however, there are methods to secure a cookie. Here's an example express server enabling httpOnly from unwanted client-side scripts and secure to restrict cookie access for https-only domains. You can also set maxAge (in milliseconds) for a cookie to expire instead of persist, letting the browser know when to remove it.

You can learn more about res.cookie() here.

Using Cookies for Sessions

When a client requests to connect with a server, a session can be established where the server is responsibile instead of the browser having responsibility for storing sensitive data in a database. The server will send a session id cookie to the browser with a unique value. For express, you can use a middleware called express-session.

But what if I told you there is a new way to secure session cookies in a database?

Introducing JSON Web Tokens (JWT)

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.


Now a server can generate a unique token using a 'secret' for the client jwt.sign(), where it can be stored safely, along with an expiration. This token will now be used in POST requests where the server will check against the secret to verify jwt.verify().

We validate user login by name/password, then send a token. secret is a placeholder variable that should be stored somewhere else.

On the client side, we can request the user data using the token given to us.

We send user data if the token is verified by the secret.

Moving forward this is the way to go for authorization, it makes traversing the internet a little safer. So many big tech companies have already made this their standard, including Shopify. So I say, ditch cookies whenever possible and embrace the new!

Copyright © 2022. Jake Wantulok