0

I have implemented a spring boot application which does authentication and authorization using Spring OAuth2.

I am using JDBC token store to main the token issued to the client for performing Custom claim verification and some other user status verification during application run-time.

The question is, since i had used traditional JSESSIONID with CSRF token, i cannot find any advantage with the new OAuth standards because after login i would store the user details in the session and retrieve it whenever needed similarly for OAuth i store the User details in the JWT token itself and decode the token every time to get the user information, also i need to hit the database anyway for custom claim verification such as JTI verification .

Everyone says JWT is for stateless application but with JDBC token store i'm holding all the token that is issued to each client. Also there is an additional overhead to purge the expired token which will be done automatically with Session. Also i'm using refresh token as the way to implement session timeout.

Therefore can anyone explain me, when should i use JSESSIONID and when to use JWT ? My application is running on AWS architecture.

vishal sundararajan
  • 107
  • 2
  • 11

1 Answers1

0

From my experience, cookie-based authentication sufficiently complicates scaling and load-balancing. If you have authenticated via the first service replica, your cookie will be not appliable to another replica, cause all sessions are stored in memory. So, if you want to scale your service in the future, session-based authentication can make things much more complex.

Bogdan Fedoronchuk
  • 59
  • 4
  • but what if we are using Spring session that stored session in database instead of memory because most application needs session timeout which the oauth does not offer. because for banking applications session timeout is a must and they are mostly not cloud native applications due to security reasons. – vishal sundararajan Apr 05 '20 at 08:07
  • I think in your case session is preferable. JWT was developed to maintain a kind of "session" on the client-side. If you need to store JWT in the database because of requirements to your system there are no reasons to use it. So, if you'll reduce troubles with load balancing using JDBC sessions it'll be a good solution. – Bogdan Fedoronchuk Apr 05 '20 at 10:21
  • Btw, I found the awsome answer to your question here: https://stackoverflow.com/questions/43452896/authentication-jwt-usage-vs-session – Bogdan Fedoronchuk Apr 05 '20 at 10:27