0

I am new to the Single Page Application. One big question for me is how to make my application secured. I am using React in the front-end and express + mongodb in the back-end.

I old web site, we use session to do the authorization. If session is timeout, we can let the user redirect to the login page. And if a user is keep do some actions on our website, his session will never expired.

But now, I am using JWT to do the authorization. A token may expired in 1 minuet, after that, the user have to login again.

For my understanding, one way is 're-send a token on every request/response, then each request/response will have a new token'. But I think this is not the correct way of how to use JWT.

So my questions are:

  1. What is the correct way to avoid the user login again if he still work on our web app?
  2. Do we need to store the token in the database (mongodb)?
  3. If I store the token in localStorage, everyone can borrow it from the browser and copy the token into their client. How to avoid it?
Chris
  • 6,431
  • 10
  • 44
  • 59
  • I just deleted my answer. I like [this one](http://stackoverflow.com/a/26834685/398606) better. Scale it to your needs. The gist of my answer was that token renewal is up to the needs of your app, no need to store JWT in database. Server must verify the token's signature on each request. – Sunil D. Aug 31 '15 at 07:45
  • They can read whatever you store in cookies too. The JWT's payload is not encrypted, but you can encrypt it. The point is that the server will never trust an invalid token. You should avoid storing sensitive info in the token, mitigating the need for encryption. – Sunil D. Aug 31 '15 at 08:03
  • My problem is everyone can see my token in the browser localStorage and can copy/paste it to their client, then send back to my server. It's still a valid token. How to avoid this? – Chris Aug 31 '15 at 10:00
  • each token should be encrypted with certain sensitive information, what we did is user's ip, browser, os info (or other information you would like) and came out with the token. Each token also have expired time. http://jonatan.nilsson.is/stateless-tokens-with-jwt/ – Jim Aug 31 '15 at 14:19

0 Answers0