1

Say I generate a JWT from my back-end and send it to my front-end which stores it in local storage (or a cookie, etc). What is stopping someone from going into the browser dev tools, copying the token and using it on another computer while the token is still active (i.e. has not expired)?

Consider the following:

  1. Person 1 logs into the application and is given a JWT. That token is then stored in local storage.
  2. Person 1 leaves their computer for 10 minutes.
  3. Person 2 comes along and copies Person 1's JWT via the browser dev tools.
  4. Person 2 goes to another computer and pastes the JWT taken from Person 1 into their local storage.

Is it correct to say that in the scenario above that Person 2 is now able to act as Person 1 on the application? If so, how would you secure this? I feel like I'm missing a vital bit of information that I can't seem to find the answer to.

MemUya
  • 347
  • 3
  • 13
  • 1
    Read this one please. https://stackoverflow.com/questions/34259248/what-if-jwt-is-stolen – westdabestdb Jan 10 '19 at 23:11
  • 2
    If `Person1` leaves the computer for 10 minutes then `Person2` can do much worse stuff than just copying JWT token. If `Person1` leaves the computer knowing that web applications are logged in and computer is exposed, then it's like leaving the house with opened doors. At least JWT token expires and doesn't expose the password. – Ivan Sivak Jan 10 '19 at 23:20
  • @westdabestdb Thank you for that link, I didn't come across it during my search. – MemUya Jan 10 '19 at 23:30
  • @IvanSivak If I'm understanding correctly, if someone else has access to another person's PC, the JWT is the least of their (or mines as the developer of the app) issues since at least the JWT will eventually expire? – MemUya Jan 10 '19 at 23:32
  • 1
    @MemUya Right. Of course it is still an issue, but if I walk away from my PC leaving it opened then anybody can sit in and for example delete all my files, see emails in email client etc If you are concerned about JWT token theft, perhaps consider embedding an IP address claim into the token while you're issuing it. Then, with every request you can check on server if the IP address is the same as the one claimed in the token. It is not bullet proof but if you are concerned about it check this: https://security.stackexchange.com/questions/64350/compromised-json-web-token-jwt-bearer-token – Ivan Sivak Jan 12 '19 at 10:28

0 Answers0