If you’ve read any of the recent articles1,2, about how JSON Web Token (JWT) could be the next hot thing in HTTP sessions,
you may be thinking to yourself: “I should go re-write my authentication layer to use it.” Before you dive right in, you may want to consider some of the security implications that JWT introduces.
As context, the Prevoty engineering team is currently in the process of re-writing our management console. Recently, an engineer proposed JWT as a solution for handling our sessions client-side - rather than storing and managing them on the server. After weighing the options, we’ve chosen to not implement with JWT. This post will explore the reasons and motivations why we opted not to.