Modern web sites run on plain HyperText Transfer Protocol (HTTP). Two common approaches are to achieve main- tained user-state: the traditional session that lives on the server and the newer JSON Web Token, or JWT, that lives only in the browser and gets checked by a signature. The big question here is: which one is more secure, and which one has better resource utilization? To answer this, two Node.js apps were built in a local environment. One app used express-session along with Redis, an in-memory database. The other used jsonwebtoken library with an HS256 signing algorithm that uses the secret "thesis- secret-123". To test security, user request was sent using Postman to the apps through OWASP ZAP's proxy. When ZAP ran its scans, it reported 6 different alert types, about 42 and 44 for session-based and JWT-based web session systems respectively. A manual check with Burp Suite was used to manipulate the user requests. Tempering the connect.sid cookie to something random gave a 401 error. Same with JWT token, the JWT-based server responded with a 401 error. That tells the server-side storage can spot an invalid cookie, but the token can be peeked at by anyone who cares to decode it. Performance was measured with JMeter, simulating 1000 users sending requests to each server in total duration of 20 s. The JWT version answered in about 279 ms on average, while the session version took roughly 7870 ms. Throughput followed a different pattern: about 3.39 requests per second for each server app. Grafana graphs made the gap look clear. The system stats showed JWT using a little less CPU (0.127 % vs 0.128 %) and a bit less memory (59.3 MB vs 76.1 MB). These insights underscores that the sessions give you tight control on the server, which can stop some attacks, but they add a little lag. JWTs run fast, but it requires a robust secret management.
session management, JWT, authentication, security, performance, OWASP ZAP, JMeter, Grafana, Prometheus, Node.js, Express.js, Burp Suite, Redis
© IACyC is conducted under the administration of the CyberMACS Erasmus-Mundus Masters Programme. cybermacs.org