Is using JWT token for "remember me" less secure than random session token?

JWT, if hashed and encrypted strongly enough, are just as secure as sessions and bring lower overhead. Just make sure to keep it small(although if you're doing anything that requires more than a few KB of storage you're probably doing something wrong...). Follow the best practices for session with JWT and you'll be fine.

If you use a strong enough algorithm and a strong enough key then the user trying to crack it will be WAY out of luck. And if they do crack it then they also have to find a way to steal other people's JWT cookies to get that info(the same type of attack against a session).

If a JWT is less secure than a session, then you've designed it wrong because a JWT is a client sided session. Everything you would store in a session can be stored here. Heck you can even store a session id in it to keep track of larger things in the DB that wouldn't have a place in the JWT.


As Robert said, a jwt can be just as secure as a session if it is encrypted good. Make sure the secret you use is very unique.

WARNING: There is a vulnerability with some json web token libraries that use Asymmetric keys.

node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512). These are vulnerable libraries and to fix make sure you have the latest updates for them.

This website is very helpful on jwt education and testing: https://jwt.io/

This stack overflow answer explains asymmetric vs symmetric keys: https://stackoverflow.com/questions/32900998/jwt-keys-asymmetric-and-symmetric

This is what packages i use in my MEAN application. "jsonwebtoken": "^5.7.0", "passport-jwt": "^2.0.0"

passport.js is for authentication