People were using systems like JWT but not so complex 20 years before, something like

  session_id:user_id:access_rights:timestamp:signature

where signature has to be a good MAC, not the obvious

  MD5(secret_key+":"+session_id:user_id:access_rights:timestamp")

that lets anybody append stuff to the end of the key. At the time there were a lot of commercial tools like ColdFusion that just did

  session_id

and looked everything up and encouraged you to use this not just for auth but as everyday variables for application state which was problematic in so many ways:

(1) One of the best salesman I ever knew would pitch you on how web applications were revolutionary because small businesses could finally afford custom software; as a dev working for him I could give you many reasons, one of which was that once you wrapped your head around it, it was simpler to write a correct stateless back end and have just a little data in the front end and a lot in a relational database than to manage the disorderly graph of a desktop application -- session variables let you use the old patterns but those just didn't work transplanted to the web.

(2) Distributed systems issues

We ought to have a new standard that is radically stripped down. As with the old-style session variables, everybody on the team shouldn't get the right to stuff things into the cookie.

Gall's Law: "A complex system that works is invariably found to have evolved from a simple system that worked"

The most important concept introduced in this article is that a JWT is not a simple system. The author then describes his own research which concludes that starting with a JWT will not result in a complex system that works.

Q.E.D. I enjoyed reading this.

undefined