The Problem with JWT Authentication

Introduction

JWT (JSON Web Token) is a widely used standard for communicating securely between a server and a client. It is stateless, which makes it very fast, but this stateless nature introduces challenges — especially around logout and token invalidation.

Common JWT Authentication Workflow

User logs in by sending credentials:

{
  "username": "r0ld3x",
  "password": ""
}

Server verifies credentials and creates a JWT:

const jwt = require("jsonwebtoken");

const secret = "your-256-bit-secret";
const user = { id: 1 };
const payload = { id: user.id };

const token = jwt.sign(payload, secret, {
  algorithm: "HS256",
  header: { typ: "JWT" },
  expiresIn: "30d"
});

console.log("JWT Token:", token);

The token includes the user ID and expiry.
It's signed for integrity, but not encrypted.
Anyone can decode and view the payload (e.g., user ID).

Token is sent to the client, often via a cookie:

Set-Cookie: token=eyJhbGciOi...; HttpOnly; Secure

On each request, the client sends the token.
- The server verifies its signature and expiration.
- But does NOT track tokens server-side (unless extra mechanisms are used).

The Logout Problem

Logging out typically just clears the cookie.
But the JWT is still valid until it expires.
If someone steals your cookie (via XSS or MitM), they can continue using your account.

Solution: Custom Session Layer

Introduce a server-side token/session store to handle:

Revoking tokens on logout
Expiring tokens server-side
Tracking active sessions

Workflow:

Encrypt the user ID using AES or RSA.
Store the encrypted token with its associated user ID and expiry in a DB table.
Return this token to the client.
On every request:
- Decrypt the token
- Lookup in the DB if the session is still valid
On logout:
- Remove the token from the DB
- It is now invalid even if stolen

Example: AES Encryption

const crypto = require('crypto');
const algorithm = 'aes-256-cbc';
const secretKey = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);

function encryptUserId(userId) {
  const cipher = crypto.createCipheriv(algorithm, secretKey, iv);
  let encrypted = cipher.update(userId.toString(), 'utf8', 'hex');
  encrypted += cipher.final('hex');
  return iv.toString('hex') + ':' + encrypted;
}

function decryptUserId(encrypted) {
  const [ivHex, encryptedData] = encrypted.split(':');
  const decipher = crypto.createDecipheriv(algorithm, secretKey, Buffer.from(ivHex, 'hex'));
  let decrypted = decipher.update(encryptedData, 'hex', 'utf8');
  decrypted += decipher.final('utf8');
  return decrypted;
}

const token = encryptUserId(45);
console.log('Token:', token);
console.log('User ID:', decryptUserId(token));

Summary: JWT vs Custom Encrypted Tokens

Feature	JWT	Encrypted ID Token
Stateless	✅	❌
Self-contained	✅	❌ (DB lookup)
Expirable	✅ (with `exp`)	✅ (manual)
Revocable	❌ (unless stored)	✅
Tamper-proof	✅ (signed)	✅ (encrypted)
Confidential	❌	✅

Final Thoughts

JWT is powerful, but you must extend it with server-side validation (blacklist/allowlist) or consider fully custom auth mechanisms to support logout and token revocation securely.