You can sign session ids to prevent DoS, and you can cache session ids to avoid ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ynniv on Dec 27, 2018 \| parent \| context \| favorite \| on: Ask HN: What do you use for authentication and aut... You can sign session ids to prevent DoS, and you can cache session ids to avoid database lookups, but you can't detect forged or stolen JWT tokens.

nmgsd on Dec 29, 2018 [–]

You can't forge a JWT without stealing the private key of the valid JWT signer.

You can steal a JWT token the same way you can steal a session token.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact