Highest Voted 'jwt' Questions - IT Security Stack Exchange

7

votes

2 answers

What happens if my anti-CSRF token is compromised by an XSS attack?

The interesting Stack Overflow question "Do cookies protect tokens against XSS attacks?" was closed as too broad, but as mentioned in a comment on it, there is a tangible question of "What happens if my anti-CSRF token is compromised by an XSS…

asked Jan 11 '18 at 04:34

Daniel

193
5

7

votes

2 answers

Is using JWT token for "remember me" less secure than random session token?

I am after reading "https://stormpath.com/blog/token-auth-spa" and "https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence" (among others :-) ) and thing I would like to avoid is to use blindly every security measure…

authentication cookies jwt

asked Jul 08 '16 at 18:55

greenoldman

173
1
1
6

6

votes

1 answer

Should I create a JWT on one server, and verify it on a different server?

So lets say I have 2 microservices: 1). A serverless / lambda function, triggered by some hardware event 2). A websocket server, to handle some data I want to ensure that only authenticated connections can connect to the websocket server. But the…

authentication server jwt

asked Jun 21 '19 at 12:39

Horse

163
4

6

votes

0 answers

Are JWT refresh tokens in browser really that bad?

Note: I fully acknowledge there may be something I'm missing in the picture, which is part of my reason for posting. I'd like to get the opinion of people more experienced than I am on authN/Z related implementations. Here's where I am stuck on this…

authentication web-browser oauth jwt openid

asked May 19 '18 at 16:09

Salvatore

61
1
2

6

votes

1 answer

JWT in localStorage with encrypted sessionId

What I want: Store a JWT in localStorage. The JWT contains claims about authorization. Prevent the JWT from being stolen and used by an attacker (using XSS) Avoid CSRF Storing the JWT in localStorage is bad since exploiting XSS would lead to a…

web-application cookies authorization jwt

asked Apr 30 '18 at 08:55

Magnus Jeffs Tovslid

163
3

6

votes

2 answers

What should I use for authentication for my Django Rest API?

I just read this article about why JWT's suck. I'm now uncertain what I should use for authentication. For context: The API I wrote is mainly used by mobile Apps (iOS and Android). In the future it will also be accessed via a React Frontend. In the…

authentication api jwt django

asked Apr 29 '18 at 15:16

J. Hesters

163
1
5

6

votes

2 answers

How is security maintained in session and JWT?

I have been using Passport.JS session for a long time without really caring about security concern. For next project I thought of replacing session with JWT but security related concerns arise as I research more about JWT. So if I use JWT for…

authentication session-management jwt node.js

asked Mar 15 '18 at 14:21

forJ

161
2

6

votes

1 answer

Security with non-expiring sessions

Sessions expire differently on different places on the web: StackOverflow: never expires Twitter: never expires Facebook: never expires Stripe: expires after like 30 min or an hour or so Some bank websites: expire after 15 minutes of…

session-management jwt ux

asked Nov 26 '17 at 04:45

Lance

588
5
16

6

votes

2 answers

AWS Signature V4 vs OAuth + JWT bearer tokens

For securing REST APIs, a logical choice for access control is JWT either by itself or in combination with OAuth. If I only care about authenticating the caller, verifying a JWT signature is sufficient by itself. If I also care about…

oauth jwt

asked Jun 29 '17 at 15:54

wrschneider

161
1
2

6

votes

2 answers

JSON Web Token Security

I've been working with JSON Web Tokens and reading up on how to make an app more secure. When a user is a authorized, the token is signed, and a token will be placed in the Authorization Header. This token can then be placed in localStorage,…

single-page-app jwt

asked Nov 19 '15 at 01:39

My Name

61
1

6

votes

1 answer

Why should I trust a JSON Web Token (JWT)?

In the SAML and Kerberos authentication models, there is an explicit understanding of what authority has authenticated the user and issued the credential to be trusted by downstream systems. For purposes of identity propagation, the rights of the…

identity saml kerberos identity-management jwt

asked Oct 12 '15 at 15:33

JaimeCastells

1,156
1
9
16

5

votes

1 answer

Is there a reason not to store a JWT as hardened cookie?

When storing a JWT for authentication in a web application, my first instinct would be to store it as a "hardened cookie", meaning all the required flags such as "HttpOnly" and "Secure" being set. This would still allow me to make use of XHR, as XHR…

web-application jwt

asked Mar 21 '22 at 12:09

user163495

5

votes

2 answers

What are the advantages of using JWT over Basic Auth with Https?

As per my understanding both JWT and Basic Auth used to store login credentials on client side and avoid sessions for better scalability. I understand with Basic Auth login credentials will be sent along with each request which is a security risk…

oauth jwt http-basic-auth

asked Apr 11 '21 at 15:48

Arjun

151
1
3

5

votes

1 answer

Split a JWT between payload and signature

Context: I'm looking at storage solutions for JWT tokens on a single page application. Storing the JWT in the local storage is unsafe and prone to XSS attacks. Storing the JWT in a secure / HTTP only cookie is safer, but prone to CSRF attacks. I'm…

xss csrf jwt single-page-app

asked Aug 18 '20 at 16:05

HHK

153
4

5

votes

1 answer

Zero trust across micro-services using JWT

I am planning to implement JWT authentication on my micro-services to achieve zero trust architecture. User will generate a JWT token through front end micro-service. Each subsequent request will contain this JWT which will be forwarded to backend…

jwt zero-trust

asked Dec 10 '19 at 15:23

Saqib

151
4

Questions tagged [jwt]