Главная
Study mode:
on
1
Intro
2
Speaker: David Gilman
3
HTTP Cookie
4
Stateless Tokens
5
Server Side Session
6
Clifford Stoll's Chocolate Chip Cookie Recipe
7
Trying to be Everything to Everybody
8
JWTs as Sessions
9
Attaching with JavaScript
10
Weak HMAC Secrets
11
No Revocation
12
No Expiration
13
Database for Revocation
14
Refresh + Access Tokens
15
Fragile Built-In Signing Key Rotation
16
Fully Stateful
17
Multiple Overlapping Implementations
18
Service 2 Service Auth
19
Shared Token
20
Auth Service
21
Revocation via Cache
22
Hardcoded Algorithm
23
Use Alternatives
24
Use Trusted Libraries
25
Registered Claims
26
Macaroons Paper
27
Stop Using JWT for Sessions
Description:
Explore patterns and anti-patterns of JSON Web Tokens (JWTs) in this 33-minute conference talk from LASCON. Delve beyond basic JWT concepts to examine various use cases, including stateless tokens, server-side sessions, and service-to-service authentication. Learn about potential pitfalls such as weak HMAC secrets, lack of revocation mechanisms, and fragile key rotation. Discover alternatives like macaroons and gain insights on when to avoid using JWTs for sessions. Understand best practices for implementing JWTs securely, including the use of trusted libraries and registered claims.

JWTs - Patterns and Anti-patterns in Authentication

LASCON
Add to list
#Information Security (InfoSec) #Cybersecurity #Web Security #JSON Web Tokens #Programming #Web Development #Computer Science #Cryptography #API Security #Session Management
0:00 / 0:00
1 of 27

Intro