Highest Voted 'jwt' Questions - IT Security Stack Exchange

17

votes

3 answers

Storing info in JWT payload

Currently, the access token expires in 15 minutes and the only info stored in the payload is the user id. Each user has a balance which he can use inside the app. Should I query the database on each request so I can pull the balance? Would it be…

authentication jwt

asked Nov 25 '19 at 20:08

civ15

301
2
7

17

votes

1 answer

REST API authentication with JWT and CSRF protection for SPA

I'm developing an SPA with REST back end and want to have simple token based authentication. The goal for REST backed is to be stateless. I will explain the security model and try to reference all sources for decisions that were made during design.…

authentication cookies csrf rest jwt

asked Feb 21 '17 at 12:10

Marko Vodopija

1,062
1
8
19

15

votes

2 answers

JWT: Choosing between HMAC and RSA

It is my understanding that HMAC is a symmetric signing algorithm (single secret key) whereas RSA is an asymmetric signing algorithm (private/public key pair). I am trying to choose between these 2 methods for signing JSON Web Tokens. However, I…

digital-signature rsa hmac jwt

asked Oct 25 '19 at 04:41

4Matt

375
1
2
7

15

votes

2 answers

JWT: Why is audience important?

JWTs typically include an audience claim. I've read in many places (articles, code examples, the spec itself) that you must check that the token is intended for you and not another audience. I'm happy enough to accept that. I'm not planning on…

jwt

asked May 01 '19 at 08:31

Andy N

442
3
12

15

votes

1 answer

Shared secret when using JWT with an HMAC for authentication

I'm currently implementing user authentication on a REST-like API that is used by an Android client. After some research I think that JWT (JSON Web Token) is a good way to do it. The basic procedure I have planned is: The user logs in using…

authentication hmac jwt

asked Jan 25 '17 at 21:00

Alemarius Nexus

253
2
4

14

votes

2 answers

How to handle refresh tokens

I'm trying to wrap my head around JWT (JSON Web Token) based authentication for securing API endpoints using access tokens. I'm protecting these endpoints by requiring the user to have a valid access token in order to obtain said resources. I'm…

authentication access-control jwt

asked Sep 30 '18 at 11:47

Sam

243
1
2
6

14

votes

3 answers

security issues in JWT storage

I'm creating a JWT login mechanism for a site. There are two very opposing opinions on how to store the JWT. Stormpath swear by cookies httponly: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage Auth0 swear by…

xss cookies csrf jwt

asked Jan 12 '17 at 12:41

user2331566

143
1
6

14

votes

2 answers

Base64 encoding of a SHA256 hash

I'm currently reading up on JWTs and have written something to create them. When I created my JWT I noticed that my signature was not being encoded properly. For instance, given the…

hash sha256 jwt

asked Dec 14 '16 at 19:31

etchesketch

243
1
2
5

14

votes

3 answers

Cracking a JWT signature

I am testing an API that uses JWT for authentication. This JWT has a HS256 signature to prevent modification. I figured that if I determine the secret key used in this signature, I can create my own JWTs. How can I crack the secret key of a JWT…

brute-force password-cracking jwt

asked Aug 18 '16 at 07:25

Sjoerd

28,707
12
74
102

13

votes

3 answers

Securely using JWTs with CSRF protection and refresh tokens

I'm implementing JWTs in my app and I'd like to make them as secure as possible. I'll lay out everything I'm planning, I'd greatly appreciate any suggestions as to the security of this implementation. This is my site, I have full access to every…

authentication cookies csrf jwt

asked Aug 12 '16 at 23:49

vaindil

263
1
2
8

12

votes

1 answer

What is the purpose of JSON Web Token (JWS)'s issued at "iat" field?

RFC 7519 specifies an optional "iat" field, indicating when a token was issued. The RFC provides a terse commentary: This claim can be used to determine the age of the JWT. What is the purpose of the "iat" field? For example, why would one want to…

jwt timestamp time

asked Jan 08 '18 at 16:54

jtpereyda

1,430
2
16
26

12

votes

2 answers

Should JWT token be stored in a cookie, header or body

What is the most secure way to store transfer and store a JWT token, or any authentication token in general? Someone told me it's secure to send the authentication token as a cookie, but I don't understand how this would provide any additional…

tls authentication cookies jwt

asked Jul 20 '16 at 17:34

Tuomas Toivonen

371
1
2
10

11

votes

2 answers

JWT or session cookie for API for both web and mobile app?

I've been reading all I could about this subject for the last couple of days and I can't decide what would be the best approach. The only two requirement are: I need to know the users that are logged in and every session they have, so the user…

web-application mobile cookies session-management jwt

asked Oct 10 '18 at 14:29

Leia

213
2
7

10

votes

1 answer

Authentication with JWT

I am building SPA (React/Redux) and require user authetification. I have found similar discussions, but haven't found answers for questions I outline below. Here are some options I found to implement: Option 1: Keep JWT in localStorage CSRF attack:…

xss cookies csrf jwt local-storage

asked May 15 '18 at 06:11

Ilya

205
2
5

10

votes

1 answer

Can JWT authentication act as an anti-CSRF mechanism?

On the Angular single-page application (Angular + REST API) I use JWT authentication. Let's assume JWT tokens are properly generated and really random (you can't predict it). Is this JWT token enough protection against Cross Site Request Forgery…

web-application csrf jwt

asked Jan 09 '18 at 10:35

boleslaw.smialy

1,627
2
15
25

Questions tagged [jwt]