Is this authentication scheme using JWT secure?
I was wondering if you could review this authentication scheme for web application.
=== Login Page ===
Credentials Verification => Server issues JWT => Stored in a Cookie
JWT contains:
exp: timestamp
uid: UserID
HMAC-SHA512 Signature
Redis stores:
Key: UserID
Value: SecretKey (Only inserted if does not exist)
=== Authentication of Requests ===
JWT Decoded
$uid = UserID
Redis gets:
Value: SecretKey from
Key: $uid
JWT HMAC Verification using SecretKey
if verified
if exp not expired
ALL OK
So why using JWT at all when this is actually a stateful scheme and not stateless?
Verification performs only a single query to Redis, there is no need to do another to get the UserID
No need to store SessionID for every session, Redis stores only one record for unlimited sessions of given user.
No need to maintain expired sessions in Redis and delete them.
All tokens of a single user can be revoked anytime by changing SecretKey
Please tell me whether it is stupid or there are any security flaws so I do not implement crap.
