0

I'm learning about how to implement security with regards to authentication, especially JWT tokens. My understanding is that the JWT token, once signed by the server, is given back to the user, whom should keep the token until he or she logs out.

var token = jwt.sign(user, 'secret');

signs the user object with the secret 'secret' in Javascript, and user might look something like this:

user = {
  name: 'bob',
  password: 'bobpassword'
}

when verifying, we simply call jwt.verify(token, 'secret') to verify that the corresponding token is the user.

However, wouldn't this signature/token be the same every time? Our secret here is always 'secret', so should we change the secret every login? Then how are we to store the secret so it's secure? Or should we add some type of random string to user every time?

I'm simply looking for the proper approach here in terms of security.

bli00
  • 2,215
  • 2
  • 19
  • 46
  • 1
    The token changes everytime, as it also contains times like iat (issued at) and exp (expires at). A password is usually not part of the token. And the secret should be kept on the server. Check https://jwt.io for an introduction. – jps Mar 22 '18 at 14:55
  • are the `iat` and `exp` automatically handled or do I need to pass that in to the signing function? – bli00 Mar 22 '18 at 14:57
  • See the documentation of the jwt framework you use. I don't work with js. You can also check the resulting jwt on jwt.io. There you can see what's in it. – jps Mar 22 '18 at 15:03
  • https://stackoverflow.com/questions/42826251/what-should-be-the-secret-in-jwt – Cisco Mar 23 '18 at 03:24

0 Answers0