Highest Voted 'jwt' Questions - IT Security Stack Exchange

81

votes

7 answers

Is refreshing an expired JWT token a good strategy?

If I understand best practices, JWT usually has an expiration date that is short-lived (~ 15 minutes). So if I don't want my user to log in every 15 minutes, I should refresh my token every 15 minutes. I need to maintain a valid session for 7 days…

jwt

asked Apr 03 '16 at 11:09

Guillaume Vincent

873
1
7
9

40

votes

4 answers

Can I prevent a replay attack of my signed JWTs?

I have implemented a stateless auth over HTTP in Laravel, using JWTs. I send my username/password from the frontend. Server authenticates user, sends back a signed JWT with an expiry time. I'm using the HS512 algorithm to sign with a private key…

asked Aug 02 '14 at 16:13

Aditya M P

642
1
6
11

40

votes

3 answers

How does JTI prevent a JWT from being replayed?

According to the JWT RFC a JWT can optionally have a JTI which I interpret to be a unique ID for a JWT. It seems like a UUID is a good value for a JTI. The RFC claims that the JTI can be used to prevent the JWT from being replayed. Two…

oauth token json jwt replay-detection

asked May 30 '16 at 18:34

ams

613
1
5
7

32

votes

1 answer

What are the differences between JSON Web Tokens, SAML and OAuth 2?

What are the differences between JSON Web Tokens, SAML and OAuth 2. Please provide some pointers and high level overview of their functions. Specifically, why would one use SAML over JSON Web Tokens or viceversa? Does one need to have OAuth 2 to use…

authentication jwt oauth2 saml

asked Feb 26 '15 at 14:39

Jadiel de Armas

421
1
4
3

31

votes

3 answers

Should I be able to see patterns in a HS256 encoded JWT?

I was fiddling with https://jwt.io/ using this header { "alg": "HS256", "typ": "JWT" } when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as…

encryption jwt token

asked Sep 27 '19 at 18:17

jmacedo

429
4
6

28

votes

5 answers

What protects a JWT from being hijacked and used to pose as the original user?

Sorry for this possibly silly question, I'm just learning about JWT so please bear with me... I read the JWT docs extensively but I don't understand what prevents a hacker from hijacking the JWT and posing as the user for which it was originally…

authentication jwt

asked Oct 04 '17 at 02:40

longboardnode

405
1
5
8

25

votes

2 answers

Is it safe to store a JWT in sessionStorage?

This article from Auth0 recommend storing the JWT locally in a local storage (or cookie). But this article from OWASP recommend not to story any sensitive data locally (not even sessionStorage) So, is it safe to store the JWT token locally or not?

web-application cookies jwt local-storage

asked Feb 09 '18 at 21:00

Ghassan Karwchan

359
1
3
6

24

votes

4 answers

What is the difference between JWT and encrypting some json manually with AES?

What is the difference between using a JSON Web Token (JWT) and simply having an AES key and sending and receiving encrypted JSON from the client? For example, this could be sent to the client: AES256.encrypt(JSON.stringify({id: 5552, admin:…

aes jwt json

asked Feb 21 '18 at 09:09

FLUSHER

373
1
2
6

23

votes

3 answers

What is the impact of an exposed secret key for a JWT token implementation?

I am currently using JWT implementation for the authentication part of my APIs. A private key is used to sign the token generated and used to make sure it's not tampered with when it's used later for other API. My question is - What is the impact if…

jwt

asked Oct 22 '20 at 07:03

darren19824

341
2
5

21

votes

4 answers

Is a JWT usable as a CSRF token?

I'm in need of a CSRF token, for a certain application that submits a form with POST. Ideally, I'd like to not make a DB call for each submission, to avoid storage and DB traffic & latency. To this end OWASP's "CSRF Prevention Cheat Sheet"…

csrf jwt

asked Feb 25 '16 at 18:48

Thanatos

1,016
2
10
16

20

votes

2 answers

Access-control-allow-origin: * with a bearer token

When testing a single page application, I've identified that the REST endpoints return CORS headers that allow cross-domain access: access-control-allow-credentials: true access-control-allow-methods: GET, POST, DELETE,…

jwt cors

asked Jun 23 '16 at 14:47

paj28

32,736
8
92
130

19

votes

2 answers

Stateless authentication with JWT: refresh token is not stateless

In my current architecture, my backend issues a JWT back to the (mobile) client. The primary reason to opt for a JWT is stateless authentication, i.e. the server doesn't need to store data in the session/database, which means less overhead and…

authentication jwt

asked Jun 10 '17 at 22:04

Trace

327
3
14

19

votes

4 answers

JWT vs. Client Certificates

We have a transaction server that is connected to by different client applications. The requirement is to have a secure means of authentication for client applications to communicate with the transaction server. The two solutions being looked at are…

authentication certificates oauth authorization jwt

asked Jun 24 '16 at 16:20

Nixman55

323
1
2
6

19

votes

2 answers

Where should I store OAuth2 access tokens?

I am building a REST API back-end, for a mobile application. In our design choice, we decided to let OAuth2 providers handle the login security. However, I am not sure what the best practice is for the access token, which I acquire from the OAuth2…

encryption databases oauth rest jwt

asked Feb 10 '16 at 12:15

Daniel

191
1
1
3

18

votes

2 answers

JWT: A solution to let the token expire after a certain time of inactivity?

I have a stateless webapp that uses a JWT token. Eventually it will expire - which is OK, but I don't want it to expire while the user is working. Instead, I would like the token to expire after a certain time of inactivity. Let's say my token is…

jwt

asked Aug 03 '17 at 14:57

Tim

283
1
2
5

Questions tagged [jwt]