Is It possible with jwt?

Question

I decided to implement security based on json web tokens, but I have one question. Lets say I have a user Tom and he make a request to my server. As a response he will get jwt token. All subsequent requests from Tom will contain this jwt. Is It possible that somebody will capture his jwt using wireshark or sth else and make a request on behalf of Tom without his knowledge? From a server persperctive jwt will be valid

score 1 · Answer 1 · edited May 23 '17 at 11:51

1

Yes it is possible. It's called "replay attack". HTTPS makes it much harder to do, but it's still possible even with HTTPS. Related discussion can be found for example here https://stackoverflow.com/a/2770200/43848

edited May 23 '17 at 11:51

Community

1
1

answered Aug 18 '16 at 17:16

artem

46,476
8
74
78

score 1 · Answer 2 · answered Aug 18 '16 at 17:17

1

Yes it is posible. Anyone with the JWT could impersonate Tom. Use https to avoid an attacker could capture the token from the interchanged messages and keep the token in a secure storage

answered Aug 18 '16 at 17:17

pedrofb

37,271
5
94
142

Is It possible with jwt?

2 Answers2