Menu
I am trying to understand JWT, and surfing various resource on web. I found the code showing how to check whether JWT is tempered -- this is a great one and I understand it.
However, I don't understand how JWT won't be used by a middle-man who can either look at the browser data (think of a public computer in library) or sniff the wire (I guess this can be avoided by HTTPS though) to get the GWT string, and replay from another computer.
https://float-middle.com/json-web-tokens-jwt-vs-sessions/
[headerB64, payloadB64, signatureB64] = jwt.split('.');
if (atob(signatureB64) === signatureCreatingFunction(headerB64 + '.' + payloadB64) {
// good
} else
// no good
}
554
JWTs can be best and secure but it is very secured only if it is used in the right way. Attacks like token stealing, XSS, Middle man attacks are still possible.
JSON web token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Again, JWT is a standard, meaning that all JWTs are tokens, but not all tokens are JWTs.
The JWT spec provides the jti field as a way to prevent replay attacks.
The most crucial security claim is the "exp" claim. The issuer uses this claim to indicate the expiration date of a JWT. If this expiration date lies in the past, the JWT has expired and must not be used anymore. A typical example use case is an OpenID Connect identity token, which expires after a set period.
Indeed, they can. You can take steps to prevent this by, say, encapsulating the requester's IP-address in the encrypted data, and by giving the token a relatively short time-to-live. But, the key idea is that the receiving system has only the token, and its encrypted content, to act upon. The server can verify that the token is valid and know that it has not been altered, but, since there are no "sessions," it will not be able to detect a replay attack unless the content of the token enables it to do so. (Therefore, do so!)
82
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
