0

I am currently storing a jwt token inside my cookie.

A couple of questions arise. Can the client edit the content/data inside my jwt token? In this case i am storing a non-sensitive username but I figured that any user could in theory edit that jwt token data? In any case if they do, with jwt can you verify if the token has been tampered with and will this always be full proof?

Second question, does httpOnly on a cookie make it so that the content of the cookie cannot be edited or is it simply making it non accessible to javascript?

  • related: [If you can decode JWT, how are they secure?](https://stackoverflow.com/q/27301557) – jps Aug 08 '22 at 22:00

1 Answers1

1

An important thing to remember in web development is that everything that happens in the browser is in the user's control. And I really mean everything.

If the user presses F12 in most modern browsers, they will get a debug console with all sorts of things to fiddle with. If the feature they want isn't there, there is absolutely nothing stopping them making their own browser that does something differently - or, more likely, sending requests to your server that look like they've come from a browser, but which were actually generated by some much simpler script.

So, onto your questions:

  1. JWT includes a mechanism to cryptographically sign your token. The principle is that it is mathematically difficult (really, really difficult) to generate a correct signature if you don't know the correct private key. If you implement the signing and verification correctly (which generally means using a well-known implementation written by someone who knows all the pitfalls) you can be confident that you would spot someone sending an edited token, because the signature would be wrong.
  2. Attributes such as HttpOnly are not to protect you from malicious users, they are to protect the user from malicious software. They tell well-behaved browsers what kinds of interaction should be possible with the cookie, so that the user - who is ultimately in control of the cookie - isn't tricked into doing something dangerous.
IMSoP
  • 89,526
  • 13
  • 117
  • 169
  • Thank you so much. Although the first part scares me a bit: All I really am doing is sending back a jwt.signed token with a secret key, that containers the user. Then on any requests my api route reads the cookie, decrypts the token with the secret key, and grabs the data inside. Would this mean that everything is getting verified in case of any edited token data? Since jsonwebtoken is doing both the verify and signing? –  Aug 08 '22 at 20:29