Is this authentication scheme using JWT secure?

Question

I was wondering if you could review this authentication scheme for web application.

=== Login Page ===
Credentials Verification => Server issues JWT => Stored in a Cookie

JWT contains:
exp: timestamp
uid: UserID
HMAC-SHA512 Signature

Redis stores:
Key: UserID
Value: SecretKey (Only inserted if does not exist)

=== Authentication of Requests ===
JWT Decoded
$uid = UserID

Redis gets:
Value: SecretKey from
Key: $uid

JWT HMAC Verification using SecretKey
if verified
if exp not expired

ALL OK

So why using JWT at all when this is actually a stateful scheme and not stateless?

Verification performs only a single query to Redis, there is no need to do another to get the UserID
No need to store SessionID for every session, Redis stores only one record for unlimited sessions of given user.
No need to maintain expired sessions in Redis and delete them.
All tokens of a single user can be revoked anytime by changing SecretKey

Please tell me whether it is stupid or there are any security flaws so I do not implement crap.

score -1 · Answer 1 · answered Jan 30 '17 at 18:06

-1

In general looks good. However, few issues to think of

The userID isn't encrypted. If the request is not going over TLS, it's leaking that info to MITM. You might want to encrypt it.
Once user logs out, what prevents the JWT from still getting used, assuming it's not expired?

answered Jan 30 '17 at 18:06

Sunil Agrawal

Hello Sunil, thanks for the review. I'm using TLSv1.2 only. That's good point, nothing prevents JWT from getting used, maybe I could use Bloom Filter for 'logged out' tokens? – Peter Bielak Jan 30 '17 at 19:33
Bloom filter is definitely worth looking into. How do you plan to GC on expiry? – Sunil Agrawal Jan 30 '17 at 20:31
GC could be executed on every x write to the bloom. – Peter Bielak Jan 30 '17 at 20:58

1 Answers1