I'm writing a mobile application which uses ASP.NET Core for it's backend. For user authentication I considered to use JWT at first. But there are some problems of JWT in my case, like invalidating user tokens when needed. For example, if user's phone was stolen and he wants to log out from all devices.

Also I found some articles also don't recommend not using JWT for session.

You cannot invalidate individual JWT tokens

And there are more security problems. Unlike sessions - which can be invalidated by the server whenever it feels like it - individual stateless JWT tokens cannot be invalidated. By design, they will be valid until they expire, no matter what happens. This means that you cannot, for example, invalidate the session of an attacker after detecting a compromise. You also cannot invalidate old sessions when a user changes their password.

http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

So I tried to use traditional sessions in asp.net core
Here is the sample code that I'm using

services.AddDistributedMemoryCache();

services.AddSession(options =>
{
    // Set a short timeout for easy testing.
    options.IdleTimeout = TimeSpan.FromSeconds(10);
    options.Cookie.HttpOnly = true;
    // Make the session cookie essential
    options.Cookie.IsEssential = true;
});

And the problem is that asp.net core is only using cookies for storing session id. And in mobile app we can't use cookies. Instead, we can pass session id in request header or url param. Like this

https://localhost/users/6?sessionid=abcdefg...xyz

Does someone has any idea what we can do in this situation?

0 Answers