[Question] JWT and Stateful

[haikalrios]

Search before asking

• I had searched in the issues and found no similar issues.

Question

Hello everyone, I'd like to share a question and hear your opinions on a specific behavior.

In a stateful application where we use a JWT access token in the authorization header (an approach that might seem odd for combining stateful with JWT), on the first request, the subject is assigned to the session, making it authenticated. Thus, subsequent requests are accepted until the session is invalidated. My question is: considering that the JWT token has its own validity period, would it make sense to revalidate the token with each request, or should we rely entirely on session management? Furthermore, within the context of Shiro, is there a specialized JWT filter and, in this filter, would a session be mandatory?

[fpapon]

I would prefer to validate the JWT at each request in a filter.

[haikalrios]

Thanks @fpapon for your considerations

The perspective of this conceptual example is intriguing and prompts us to reflect on session management and authentication/authorization in stateful applications. When we choose to store authentication/authorization data in the session, the session management mechanism, such as Shiro, naturally assumes control over this state. In this context, a JWT token merely as a transporter of credentials, eliminating the need for revalidation once the session is authenticated because the session has the capability to maintain this state, including management of timeout, invalidation, and more. However, in scenarios where the session holds states not related to authentication/authorization, revalidating the JWT Token on each request through a filter would logically make sense. This approach depends on each use case, but fundamentally, it seems sensible to me. For stateless applications, Shiro offers mechanisms like the filter'NoSessionCreationFilter', which naturally facilitate token verification on every request, a practice common in REST APIs.

Does that make sense?

[fpapon]

Exactly, it's depend on the use case, you can also have a mix between session and JWTs expired validation but for stateless api, using session doesn't not make sense.

[haikalrios]

Exactly, that's the point . Thank you for the contribution @fpapon

Regarding the model that mixes session and JWT expiration validation, although it's possible, it seems to add extra complexities. For instance, synchronizing the session expiration time due to inactivity with the expiration time of the access token and/or refresh token. After all, if a session expires while the JWT is still valid, we would have a collateral effect for the user.

thanks.

[fpapon]

Exactly, that's the point . Thank you for the contribution @fpapon

Regarding the model that mixes session and JWT expiration validation, although it's possible, it seems to add extra complexities. For instance, synchronizing the session expiration time due to inactivity with the expiration time of the access token and/or refresh token. After all, if a session expires while the JWT is still valid, we would have a collateral effect for the user.

thanks.

Agreed, it's not a good solution to have both.