0

I am reading about jwt. after couple of days I get the idea of this concept. now i my question is about create jwt token per user witch privent others to use others token.

for example scenario : user A login to server and get its jwt token and server allow it to access the resources.

now a third party come in and get jwt token of user A. now third party can use this token and use this token to use resources without login to system.

how can i create jwt token spatially for a uniqe user?

Navid_pdp11
  • 3,487
  • 3
  • 37
  • 65

1 Answers1

3

The JWT includes in the 'sub' field the user identifier. It may only be used to identify this user

Once issued, the token replaces the user's credentials, so you have to prevent a token can be stolen and also mitigate its effects :

  • Mainly use HTTPS to avoid Man-In-The-Middle
  • Set a short expiration time and rotate the tokens
  • Remove token at client side after logout
  • Use cookies to store and set HttpOnly to mitigate the risk of client side script accessing the protected cookie
  • Maintain a server blacklist for non-accepted tokens. For example when user log out, changes password or updates permissions, also when administrator revokes an account.
  • Use cookies to store and set HttpOnly to mitigate the risk of client side script accessing the protected cookie
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • i heard about method like rotate token an server blacklist , .... and in my opinion those break the JWT principal authorization without databse accessing and statelessness of JWT – Navid_pdp11 Jul 25 '16 at 09:53
  • 1
    I agree that maintaining a blacklist means knowing the state and breaks "stateless" in some way. Alternatively, it is possible to make a hash in the token itself that includes the password and / or permissions and check in every request (accessing database...). Take a look at http://stackoverflow.com/questions/21978658/invalidating-json-web-tokens. Rotate the tokens with short expiration period is a security measure. A stolen token would have a short time effect. You can apply or not depending on the needs of your site – pedrofb Jul 25 '16 at 10:08