A JSON Web Token (JWT) is a signed token provided by a server to a client which can be used to validate certain claims, e.g. identity, that can be used for a third party, e.g. a service provider.
Questions tagged [jwt]
385 questions
7
votes
2 answers
What happens if my anti-CSRF token is compromised by an XSS attack?
The interesting Stack Overflow question "Do cookies protect tokens against XSS attacks?" was closed as too broad, but as mentioned in a comment on it, there is a tangible question of "What happens if my anti-CSRF token is compromised by an XSS…
![](../../users/profiles/92720.webp)
Daniel
- 193
- 5
7
votes
2 answers
Is using JWT token for "remember me" less secure than random session token?
I am after reading "https://stormpath.com/blog/token-auth-spa" and "https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence" (among others :-) ) and thing I would like to avoid is to use blindly every security measure…
![](../../users/profiles/102187.webp)
greenoldman
- 173
- 1
- 1
- 6
6
votes
1 answer
Should I create a JWT on one server, and verify it on a different server?
So lets say I have 2 microservices:
1). A serverless / lambda function, triggered by some hardware event
2). A websocket server, to handle some data
I want to ensure that only authenticated connections can connect to the websocket server. But the…
![](../../users/profiles/125621.webp)
Horse
- 163
- 4
6
votes
0 answers
Are JWT refresh tokens in browser really that bad?
Note: I fully acknowledge there may be something I'm missing in the picture, which is part of my reason for posting. I'd like to get the opinion of people more experienced than I am on authN/Z related implementations.
Here's where I am stuck on this…
![](../../users/profiles/178477.webp)
Salvatore
- 61
- 1
- 2
6
votes
1 answer
JWT in localStorage with encrypted sessionId
What I want:
Store a JWT in localStorage. The JWT contains claims about authorization.
Prevent the JWT from being stolen and used by an attacker (using XSS)
Avoid CSRF
Storing the JWT in localStorage is bad since exploiting XSS would lead to a…
![](../../users/profiles/109596.webp)
Magnus Jeffs Tovslid
- 163
- 3
6
votes
2 answers
What should I use for authentication for my Django Rest API?
I just read this article about why JWT's suck. I'm now uncertain what I should use for authentication.
For context: The API I wrote is mainly used by mobile Apps (iOS and Android). In the future it will also be accessed via a React Frontend.
In the…
![](../../users/profiles/176963.webp)
J. Hesters
- 163
- 1
- 5
6
votes
2 answers
How is security maintained in session and JWT?
I have been using Passport.JS session for a long time without really caring about security concern. For next project I thought of replacing session with JWT but security related concerns arise as I research more about JWT.
So if I use JWT for…
![](../../users/profiles/175820.webp)
forJ
- 161
- 2
6
votes
1 answer
Security with non-expiring sessions
Sessions expire differently on different places on the web:
StackOverflow: never expires
Twitter: never expires
Facebook: never expires
Stripe: expires after like 30 min or an hour or so
Some bank websites: expire after 15 minutes of…
![](../../users/profiles/128550.webp)
Lance
- 588
- 5
- 16
6
votes
2 answers
AWS Signature V4 vs OAuth + JWT bearer tokens
For securing REST APIs, a logical choice for access control is JWT either by itself or in combination with OAuth. If I only care about authenticating the caller, verifying a JWT signature is sufficient by itself. If I also care about…
![](../../users/profiles/76709.webp)
wrschneider
- 161
- 1
- 2
6
votes
2 answers
JSON Web Token Security
I've been working with JSON Web Tokens and reading up on how to make an app more secure. When a user is a authorized, the token is signed, and a token will be placed in the Authorization Header. This token can then be placed in localStorage,…
![](../../users/profiles/92325.webp)
My Name
- 61
- 1
6
votes
1 answer
Why should I trust a JSON Web Token (JWT)?
In the SAML and Kerberos authentication models, there is an explicit understanding of what authority has authenticated the user and issued the credential to be trusted by downstream systems. For purposes of identity propagation, the rights of the…
![](../../users/profiles/69611.webp)
JaimeCastells
- 1,156
- 1
- 9
- 16
5
votes
1 answer
Is there a reason not to store a JWT as hardened cookie?
When storing a JWT for authentication in a web application, my first instinct would be to store it as a "hardened cookie", meaning all the required flags such as "HttpOnly" and "Secure" being set. This would still allow me to make use of XHR, as XHR…
user163495
5
votes
2 answers
What are the advantages of using JWT over Basic Auth with Https?
As per my understanding both JWT and Basic Auth used to store login credentials on client side and avoid sessions for better scalability. I understand with Basic Auth login credentials will be sent along with each request which is a security risk…
![](../../users/profiles/255341.webp)
Arjun
- 151
- 1
- 3
5
votes
1 answer
Split a JWT between payload and signature
Context: I'm looking at storage solutions for JWT tokens on a single page application.
Storing the JWT in the local storage is unsafe and prone to XSS attacks.
Storing the JWT in a secure / HTTP only cookie is safer, but prone to CSRF attacks.
I'm…
![](../../users/profiles/241343.webp)
HHK
- 153
- 4
5
votes
1 answer
Zero trust across micro-services using JWT
I am planning to implement JWT authentication on my micro-services to achieve zero trust architecture. User will generate a JWT token through front end micro-service. Each subsequent request will contain this JWT which will be forwarded to backend…
![](../../users/profiles/220832.webp)
Saqib
- 151
- 4