Nice video, I can see you put in a lot of effort! :) However I think it sometimes is a little too expressive. You already have good content, so you dont need to satisfy us with new visuals every second of the video to make it great. Nice work. 😄 You’ll get more viewers very quickly with this high quality!
My only problem with JWT is that I find it very complex and hard to understand, and yet a lot of people implement it without knowing how it exactly works, actually, I think that a lot of devs that don't even know what a cookie is don't now what JWT is either, and yet they use it because it is "easy" They may be easy to use but they are more complex than serverside sessions with cookies, which are a lot more simpler to use, even though they require more work
Short living JWT is for service-to-service communication in trusted network. For external systems use sessions which can be revoked in case of misuse. It is an implementation detail if you map your session to short living JWT for apps internal communication on each request.
You're watching a well edited video which I assume took hours or days to be made... for free. He has to make money somehow, I don't think it's too hard to jump after the ad or just wait it out. Short format videos have burned so many brains lol.
Love the video! Just a quick question: In the example at 10:52, doesn’t good separation of concerns solve this problem? Why does anybody need to manage the algorithms of JWT after its initial implementation?
Yes, Good separation of concerns helps, but JWT algorithms must be managed over time to address evolving standards and vulnerabilities. Security isn’t “set and forget. 😊
all the problems mentioned are just skill issues tbh, am too lazy to write a gigantic comment elaborating solutions to all these "problems" but anyways!
well, I don't like it when people just vaguely talk about "skill issues". If a JWT library obeys non-signatures, then it's the spec itself that is the issue. As soon as you use JWT as a format, people start pulling in insecure libraries. You would not tolerate a cipher that exposed data without a valid key, no? But we tolerate exactly this with signatures! It's bad that it is standard cryptographic practice to: header:plaintext:Sig(plaintext) is a very bad pattern. It is better to hide the plaintext until AFTER a signature check. (This is hard, and I only have an RSA example. But Web developers will pull out and obey the plaintext before checking the signature if it is even possible to do at all.
@robfielding8566 it's a developer problem, not standard/spec problem, the same thing can be said about bad drivers, it's not the infrastructure or car that's the problem, it's their incompetency and that's why they suck, so yeah, if a dev isn't checking the signature before they trust what the payload claims, it's their problem!!
@@abdirahmann the problem is that the spec is wrong. a developer downloads a library that implements the spec. a good developer will then go in, and start turning off garbage in the spec; to be NOT compliant with the security holes. in my case, i know that I use ES512, so write the code to throw an exception for any JWT type I did not use. JWT is to bad that I actually think it's a trojan horse from a security agency. I don't think the bugs are an accident.
I don't understand why JWT is blamed for the mentioned reasons? To me it looks more like a dev's problem of lack of a good understanding of web security.
That's fake, if you sign the token correctly it can be spoofed ... The token signature will not match and will be declined, every change in the token will change the signature so... Forget this idea
We really need blurry text and chromatic aberration in a supposedly educational video? Not very informative (to me). It does not quite address any of the issues with any other than "just so you know" detail, it is a quite layman indtroductory kind-of talk.
@@anon_y_mousse damn i used to think C is an acronym, damn you guys were wild efficient with your naming, i bet yall applied the same to your variables and functions
Thank you Permit for sponsoring this video , Check them out at - codesource.io/permit
Secure, stateless, and still somehow stressful. Classic JWT. 😅
Let's talk about revoking tokens. Stateless? No?
Alright, session token with cache is much better than innit?
It's never has been secure😅
In the world of reaction videos on coding articles 😅, great to see the quality of your videos increasing.
Glad you like them!
The importance of this video simply cannot be overstated. Well done.
Nice video, I can see you put in a lot of effort! :)
However I think it sometimes is a little too expressive. You already have good content, so you dont need to satisfy us with new visuals every second of the video to make it great.
Nice work. 😄 You’ll get more viewers very quickly with this high quality!
Great video editting! The cinematic effects are amazing and very enjoyable.
My only problem with JWT is that I find it very complex and hard to understand, and yet a lot of people implement it without knowing how it exactly works, actually, I think that a lot of devs that don't even know what a cookie is don't now what JWT is either, and yet they use it because it is "easy"
They may be easy to use but they are more complex than serverside sessions with cookies, which are a lot more simpler to use, even though they require more work
Short living JWT is for service-to-service communication in trusted network. For external systems use sessions which can be revoked in case of misuse. It is an implementation detail if you map your session to short living JWT for apps internal communication on each request.
Great quality video! Love to see the effort being put into it
Really good video, it's not common to see this days
Nice work 👏
No more ads interrupting the flow of the video please
Thanks for the feedback; I will work on it. Also, you can always use the chapters feature to navigate through the video.
You're watching a well edited video which I assume took hours or days to be made... for free. He has to make money somehow, I don't think it's too hard to jump after the ad or just wait it out. Short format videos have burned so many brains lol.
@@lovecoffeebutitmakesmegostutuu have paid premium for years already
The video itself is an ad.
I don't like that corners of the video are blurred, it worsens readability.
The best practices is hybrid approach
JWT + session 🛡️ for maximum security ❤
You mean storing session in a Redis like db right?
@orhanfirik yeah
JWT
Session
Redis
Editing is lit!
This is a great video, thank you !
Love the video!
Just a quick question:
In the example at 10:52, doesn’t good separation of concerns solve this problem?
Why does anybody need to manage the algorithms of JWT after its initial implementation?
Yes, Good separation of concerns helps, but JWT algorithms must be managed over time to address evolving standards and vulnerabilities. Security isn’t “set and forget. 😊
JWT is safe unless you use it in wrong way like exposing it in local storage or not encrypting the data that inside the token
all the problems mentioned are just skill issues tbh, am too lazy to write a gigantic comment elaborating solutions to all these "problems" but anyways!
well, I don't like it when people just vaguely talk about "skill issues". If a JWT library obeys non-signatures, then it's the spec itself that is the issue. As soon as you use JWT as a format, people start pulling in insecure libraries. You would not tolerate a cipher that exposed data without a valid key, no? But we tolerate exactly this with signatures! It's bad that it is standard cryptographic practice to: header:plaintext:Sig(plaintext) is a very bad pattern. It is better to hide the plaintext until AFTER a signature check. (This is hard, and I only have an RSA example. But Web developers will pull out and obey the plaintext before checking the signature if it is even possible to do at all.
@robfielding8566 it's a developer problem, not standard/spec problem, the same thing can be said about bad drivers, it's not the infrastructure or car that's the problem, it's their incompetency and that's why they suck, so yeah, if a dev isn't checking the signature before they trust what the payload claims, it's their problem!!
@@abdirahmann the problem is that the spec is wrong. a developer downloads a library that implements the spec.
a good developer will then go in, and start turning off garbage in the spec; to be NOT compliant with the security holes. in my case, i know that I use ES512, so write the code to throw an exception for any JWT type I did not use.
JWT is to bad that I actually think it's a trojan horse from a security agency. I don't think the bugs are an accident.
TLDV; With Vigilance and Precision, JWTs Remain Not Just a Tool, but a Testament to the Evolving Art of Web Security.
I don't understand why JWT is blamed for the mentioned reasons?
To me it looks more like a dev's problem of lack of a good understanding of web security.
Your fonts in this video are too blurry.
Please use a good font, this isn't 1450
That's fake, if you sign the token correctly it can be spoofed ... The token signature will not match and will be declined, every change in the token will change the signature so... Forget this idea
We really need blurry text and chromatic aberration in a supposedly educational video?
Not very informative (to me). It does not quite address any of the issues with any other than "just so you know" detail, it is a quite layman indtroductory kind-of talk.
I thought james webb telescope...
jwt is pronounced "jot" btw, much easier than "jay double-ewe tee"
I know, but I prefer J-W-T. You might want to check the interview with one of the creator of JWT, Link in the description😄
Wait, I thought JWT was Java Web Toolkit. Can't we stop reusing acronyms already and stop trying to confuse people.
Well, You will be surprised to know that many Dev's pronounce JWT as "Jot"
@@CodeSource That's not so surprising. Most devs these days are trash. Having bad habits just goes hand in hand.
@@anon_y_moussedaddy chill , java is dead this days we use fancy languages like typescript and rust
@@warrenarnoldmusic Java was dead 25 years ago. Real programmers use C.
@@anon_y_mousse damn i used to think C is an acronym, damn you guys were wild efficient with your naming, i bet yall applied the same to your variables and functions
Didn't understand a word
Teach us
Interesting
Nice
Nice video, but technically shit.
We don't do Technical tutorials 🙂