In the rails example you gave, if they go so far as storing the entire session o... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jongjong on June 5, 2024 \| parent \| context \| favorite \| on: Should I use JWTs for authentication tokens? In the rails example you gave, if they go so far as storing the entire session object in a cookie, I don't see why they wouldn't just use JWT as it's basically the same idea with an added signature to prove that it was generated by the server. Why would you invent something new which is just about as complex, has the same disadvantages and has fewer advantages?

angoragoats on June 7, 2024 [–]

Because the mechanism used is is simple and sufficient, and using JWTs would be more complex. Rails encrypts the cookie data so signatures are unnecessary.

Also, Rails has been doing this since 2007, three full years before the JWT spec was first published.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact