2

I have authenticated JWT token and it's in session storage.

Machine 1 logged in as normal user Machine 2 logged in as admin

If i replace machine 1 jwt token into machine 2 in session storage and if i do further api call the server should say unauthorised access.

ArulKumar
  • 35
  • 9
  • I sense some possible confusion about how JWTs are intended to be used. The whole point of a JWT is that the user doesn't need to keep logging. How would a single logical user be able to login both as a normal user _and_ as an admin? Please add more details to your question. – Tim Biegeleisen Sep 25 '18 at 07:03
  • @ArulKumar this might help you [https://stackoverflow.com/questions/34259248/what-if-jwt-is-stolen] – Piyush Kumar Sep 25 '18 at 08:17

2 Answers2

2

Industry best practice at the moment is to implement the access/refresh tokens pairs.

You can follow the next tutorials on how you can implement it

This will reduce drastically the possibility of someone to steal the access token and trying to use it on other machines.

Alexandru Olaru
  • 6,842
  • 6
  • 27
  • 53
  • Alexandru Thanks for your answer. I have a concern, please correct me If I am wrong. Ultimately, I need to identify between multiple machines that which one hits the server. Especially how I can detect when a token is being generated by one client, and it is stolen by another client and sent to the server. The precondition is, all the machines have same ip address. Thanks – ArulKumar Sep 25 '18 at 14:24
  • 1
    You can use the fingerprint technique to identify the machine, and you can encode it in your token, and then every time when you validate the token you can check if the fingerprint is consistent, so when a hacker sends you the token it will have an other fingerprint so it will fail the validation. https://amiunique.org/fp You can hash all the collected data. – Alexandru Olaru Sep 25 '18 at 16:17
  • 1
    Use rotating refresh tokens for guaranteed token theft detection as fingerprinting is easily spoofed. See my answer for this please. – Rishabh Poddar Jun 22 '19 at 18:00
1

Given your specific requirements, you can try the usual stuff of browser fingerprinting or IP address change. But in an answer you said that the IP addresses can be the same + fingerprinting is very easily spoofed. For this, I suggest you implement rotating refresh tokens. This will guarantee token theft detection if the token is used on two different devices - in fact, even two different processes in the same device! This however requires careful implementation. See this blog for more details

Community
  • 1
  • 1
Rishabh Poddar
  • 919
  • 3
  • 9
  • 17