JWT Is a Bad Default

People were using systems like JWT but not so complex 20 years before, something like<p><pre><code> session_id:user_id:access_rights:timestamp:signature </code></pre> where signature has to be a good MAC, not the obvious<p><pre><code> MD5(secret_key+&quot;:&quot;+session_id:user_id:access_rights:timestamp&quot;) </code></pre> that lets anybody append stuff to the end of the key. At the time there were a lot of commercial tools like ColdFusion that just did<p><pre><code> session_id </code></pre> and looked everything up and encouraged you to use this not just for auth but as everyday variables for application state which was problematic in so many ways:<p>(1) One of the best salesman I ever knew would pitch you on how web applications were revolutionary because small businesses could finally afford custom software; as a dev working for him I could give you many reasons, one of which was that once you wrapped your head around it, it was simpler to write a <i>correct</i> stateless back end and have just a little data in the front end and a lot in a relational database than to manage the disorderly graph of a desktop application -- session variables let you use the old patterns but those <i>just didn&#x27;t work</i> transplanted to the web.<p>(2) Distributed systems issues<p>We ought to have a new standard that is radically stripped down. As with the old-style session variables, everybody on the team shouldn&#x27;t get the right to stuff things into the cookie.

Gall&#x27;s Law: &quot;A complex system that works is invariably found to have evolved from a simple system that worked&quot;<p>The most important concept introduced in this article is that a JWT is not a simple system. The author then describes his own research which concludes that starting with a JWT will not result in a complex system that works.<p>Q.E.D. I enjoyed reading this.