SlideShare a Scribd company logo
Introduction
● JWT:
● JSON Web Tokens (JWT) are an open, industry
standard RFC 7519 method for representing
claims securely between two parties.
Authorization Strategies
● 1) Session token
● 2) JSON web token
HTTP:
● HTTP is a stateless protocol. This means a
HTTP server needs not keep track of any state
information. So, every Interaction in HTTP
needs to contain all the needed information
for that interaction, nothing is remembered.
No state is maintained over multiple requests.
Session Token:
● In session-based authentication, the server
creates a session for the user after they log in.
The session ID is stored in a cookie on the
user's browser and is sent with every
subsequent request. The server compares the
session ID against the session information
stored in memory to verify the user's identity.
Session Token Problem:
● Modern web apps have multiple servers with
a load balancer deciding which server routes
the request. If a login request happens on
server 1 and the session is stored there, but
the next request goes to server 2, server 2
won't recognize the session ID.
If you can decode JWT, how are they secure?
● JWTs can be signed, encrypted, or both. If a
token is signed but not encrypted, anyone can
read its content, but without the private key,
they can't change it. If tampered with, the
signature won't match.
What happens if your JSON Web Token is
stolen?
● It's bad, really bad. JWTs are used to identify
the client, so if one is stolen, an attacker has
full access to the user's account. However,
JWTs can be configured to expire, making
them slightly less dangerous than stolen
usernames and passwords.
When should you use JSON Web Token?
● Authorization: This is the most common
scenario. Each subsequent request after login
will include the JWT, allowing access to routes,
services, and resources permitted by that token.
● Information Exchange: JWTs are a secure way of
transmitting information between parties. Signed
JWTs can verify the sender's identity.
How does JWT look like?
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlaW
QiOiIzNDc4MzciLCJuYW1lIjoiQWthc2ggTmF0a
CJ9.GfoX38XUi1Eq0YKuUBrh6yGAuin9Z7pLHy
UZNYPtKec
JSON Web Token Structure:
● 1) Header
● 2) Payload
● 3) Signature
HEADER:
● The header typically consists of two parts: the
type of the token, which is JWT, and the
signing algorithm being used, such as HMAC,
SHA256, or RSA.
Payload:
● The second part of the token is the payload,
which contains the claims. Claims are
statements about an entity (typically, the user)
and additional data.
Types of Claims:
● Registered claims: Predefined claims like 'sub'
(subject), 'exp' (expiration time).
● Public claims: Defined by those using JWTs.
They should be unique to avoid collisions.
● Private claims: Custom claims shared between
parties that agree on them.
An example payload could be:
{
"eid": "347837",
"name": "Akash Nath"
}
Signature:
● To create the signature, take the encoded
header, encoded payload, a secret, the
algorithm specified in the header, and sign
that.
JWT_Presentation to show how jwt is better then session based authorization
Thank You!

More Related Content

Similar to JWT_Presentation to show how jwt is better then session based authorization (20)

PDF
Autenticação com Json Web Token (JWT)
Ivan Rosolen
 
PPTX
Understanding JWT Exploitation
AkshaeyBhosale
 
PDF
JSON Web Tokens
Ivan Rosolen
 
PPTX
Pentesting jwt
Jaya Kumar Kondapalli
 
PDF
Json web token
Mayank Patel
 
PDF
Jwt the complete guide to json web tokens
remayssat
 
PDF
Using JSON Web Tokens for REST Authentication
Mediacurrent
 
PPTX
jwt.pptx
Maleerat Maliyaem
 
PDF
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
PDF
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
PDF
Jwt Security
Seid Yassin
 
PDF
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
Varun Mithran
 
PDF
Json web token api authorization
Giulio De Donato
 
PDF
Landscape
Amit Gupta
 
PDF
Landscape
Amit Gupta
 
PDF
5 easy steps to understanding json web tokens (jwt)
Amit Gupta
 
PPTX
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface
 
PPTX
Micro Web Service - Slim and JWT
Tuyen Vuong
 
PDF
JSON Web Token
Deddy Setyadi
 
PPTX
JsonWebTokens ppt - explains JWT, JWS , JWE Tokens
nagarajapallafl
 
Autenticação com Json Web Token (JWT)
Ivan Rosolen
 
Understanding JWT Exploitation
AkshaeyBhosale
 
JSON Web Tokens
Ivan Rosolen
 
Pentesting jwt
Jaya Kumar Kondapalli
 
Json web token
Mayank Patel
 
Jwt the complete guide to json web tokens
remayssat
 
Using JSON Web Tokens for REST Authentication
Mediacurrent
 
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Jwt Security
Seid Yassin
 
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
Varun Mithran
 
Json web token api authorization
Giulio De Donato
 
Landscape
Amit Gupta
 
Landscape
Amit Gupta
 
5 easy steps to understanding json web tokens (jwt)
Amit Gupta
 
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface
 
Micro Web Service - Slim and JWT
Tuyen Vuong
 
JSON Web Token
Deddy Setyadi
 
JsonWebTokens ppt - explains JWT, JWS , JWE Tokens
nagarajapallafl
 

Recently uploaded (20)

PDF
methodology-driven-mbse-murphy-july-hsv-huntsville6680038572db67488e78ff00003...
henriqueltorres1
 
PPTX
澳洲电子毕业证澳大利亚圣母大学水印成绩单UNDA学生证网上可查学历
Taqyea
 
PDF
Viol_Alessandro_Presentazione_prelaurea.pdf
dsecqyvhbowrzxshhf
 
PPTX
Knowledge Representation : Semantic Networks
Amity University, Patna
 
PDF
SERVERLESS PERSONAL TO-DO LIST APPLICATION
anushaashraf20
 
PDF
3rd International Conference on Machine Learning and IoT (MLIoT 2025)
ClaraZara1
 
PPTX
MODULE 03 - CLOUD COMPUTING AND SECURITY.pptx
Alvas Institute of Engineering and technology, Moodabidri
 
PPTX
Worm gear strength and wear calculation as per standard VB Bhandari Databook.
shahveer210504
 
PDF
Submit Your Papers-International Journal on Cybernetics & Informatics ( IJCI)
IJCI JOURNAL
 
PDF
AI TECHNIQUES FOR IDENTIFYING ALTERATIONS IN THE HUMAN GUT MICROBIOME IN MULT...
vidyalalltv1
 
PPTX
How Industrial Project Management Differs From Construction.pptx
jamespit799
 
PPTX
Water Resources Engineering (CVE 728)--Slide 4.pptx
mohammedado3
 
PDF
Digital water marking system project report
Kamal Acharya
 
PDF
20ES1152 Programming for Problem Solving Lab Manual VRSEC.pdf
Ashutosh Satapathy
 
PDF
aAn_Introduction_to_Arcadia_20150115.pdf
henriqueltorres1
 
PPTX
DATA BASE MANAGEMENT AND RELATIONAL DATA
gomathisankariv2
 
PDF
Halide Perovskites’ Multifunctional Properties: Coordination Engineering, Coo...
TaameBerhe2
 
PPTX
Lecture 1 Shell and Tube Heat exchanger-1.pptx
mailforillegalwork
 
PDF
Data structures notes for unit 2 in computer science.pdf
sshubhamsingh265
 
PDF
Electrical Engineer operation Supervisor
ssaruntatapower143
 
methodology-driven-mbse-murphy-july-hsv-huntsville6680038572db67488e78ff00003...
henriqueltorres1
 
澳洲电子毕业证澳大利亚圣母大学水印成绩单UNDA学生证网上可查学历
Taqyea
 
Viol_Alessandro_Presentazione_prelaurea.pdf
dsecqyvhbowrzxshhf
 
Knowledge Representation : Semantic Networks
Amity University, Patna
 
SERVERLESS PERSONAL TO-DO LIST APPLICATION
anushaashraf20
 
3rd International Conference on Machine Learning and IoT (MLIoT 2025)
ClaraZara1
 
MODULE 03 - CLOUD COMPUTING AND SECURITY.pptx
Alvas Institute of Engineering and technology, Moodabidri
 
Worm gear strength and wear calculation as per standard VB Bhandari Databook.
shahveer210504
 
Submit Your Papers-International Journal on Cybernetics & Informatics ( IJCI)
IJCI JOURNAL
 
AI TECHNIQUES FOR IDENTIFYING ALTERATIONS IN THE HUMAN GUT MICROBIOME IN MULT...
vidyalalltv1
 
How Industrial Project Management Differs From Construction.pptx
jamespit799
 
Water Resources Engineering (CVE 728)--Slide 4.pptx
mohammedado3
 
Digital water marking system project report
Kamal Acharya
 
20ES1152 Programming for Problem Solving Lab Manual VRSEC.pdf
Ashutosh Satapathy
 
aAn_Introduction_to_Arcadia_20150115.pdf
henriqueltorres1
 
DATA BASE MANAGEMENT AND RELATIONAL DATA
gomathisankariv2
 
Halide Perovskites’ Multifunctional Properties: Coordination Engineering, Coo...
TaameBerhe2
 
Lecture 1 Shell and Tube Heat exchanger-1.pptx
mailforillegalwork
 
Data structures notes for unit 2 in computer science.pdf
sshubhamsingh265
 
Electrical Engineer operation Supervisor
ssaruntatapower143
 
Ad

JWT_Presentation to show how jwt is better then session based authorization

  • 1. Introduction ● JWT: ● JSON Web Tokens (JWT) are an open, industry standard RFC 7519 method for representing claims securely between two parties.
  • 2. Authorization Strategies ● 1) Session token ● 2) JSON web token
  • 3. HTTP: ● HTTP is a stateless protocol. This means a HTTP server needs not keep track of any state information. So, every Interaction in HTTP needs to contain all the needed information for that interaction, nothing is remembered. No state is maintained over multiple requests.
  • 4. Session Token: ● In session-based authentication, the server creates a session for the user after they log in. The session ID is stored in a cookie on the user's browser and is sent with every subsequent request. The server compares the session ID against the session information stored in memory to verify the user's identity.
  • 5. Session Token Problem: ● Modern web apps have multiple servers with a load balancer deciding which server routes the request. If a login request happens on server 1 and the session is stored there, but the next request goes to server 2, server 2 won't recognize the session ID.
  • 6. If you can decode JWT, how are they secure? ● JWTs can be signed, encrypted, or both. If a token is signed but not encrypted, anyone can read its content, but without the private key, they can't change it. If tampered with, the signature won't match.
  • 7. What happens if your JSON Web Token is stolen? ● It's bad, really bad. JWTs are used to identify the client, so if one is stolen, an attacker has full access to the user's account. However, JWTs can be configured to expire, making them slightly less dangerous than stolen usernames and passwords.
  • 8. When should you use JSON Web Token? ● Authorization: This is the most common scenario. Each subsequent request after login will include the JWT, allowing access to routes, services, and resources permitted by that token. ● Information Exchange: JWTs are a secure way of transmitting information between parties. Signed JWTs can verify the sender's identity.
  • 9. How does JWT look like? eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlaW QiOiIzNDc4MzciLCJuYW1lIjoiQWthc2ggTmF0a CJ9.GfoX38XUi1Eq0YKuUBrh6yGAuin9Z7pLHy UZNYPtKec
  • 10. JSON Web Token Structure: ● 1) Header ● 2) Payload ● 3) Signature
  • 11. HEADER: ● The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC, SHA256, or RSA.
  • 12. Payload: ● The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data.
  • 13. Types of Claims: ● Registered claims: Predefined claims like 'sub' (subject), 'exp' (expiration time). ● Public claims: Defined by those using JWTs. They should be unique to avoid collisions. ● Private claims: Custom claims shared between parties that agree on them.
  • 14. An example payload could be: { "eid": "347837", "name": "Akash Nath" }
  • 15. Signature: ● To create the signature, take the encoded header, encoded payload, a secret, the algorithm specified in the header, and sign that.