Skip to content
DEV Community

DEV Community

Collapse Expand
saidbakr profile image
Said Bakr
Freelance web application developer.
  • Location
    Kafr Saqr, Egypt
  • Joined

How to secure the JWT data? for example, in the session, user_id, shopping cart items, etc are stored on the server, while in JWT they are stored on the client, so the client may be able to change his user_id to 1 for example to gain super admin permissions later. This is a messy point to me!

Collapse Expand
goose97 profile image
Nguyễn Văn Đức
  • Joined

JWT implementation already deals with that. Simply put, anyone can read (decode) the token. (the encoding scheme is Base64). However, it's impossible to forge a new valid token like your situation without the authenticating server knowing about it. The fake token on subsequent requests will be rejected immediately.

Collapse Expand
webdevopsfresher profile image
webdevops-fresher
  • Joined

Even if a user tampers a token stored on client side,the server will compare the token sent with each subsequent request with it's secret key.

Collapse Expand
saidbakr profile image
Said Bakr
Freelance web application developer.
  • Location
    Kafr Saqr, Egypt
  • Joined

@goose97 @webdevopsfresher
_It is too late, but thank you for your reply. _
This may explain why such kinds of authentication need the HTTPS? I think, to add encryption as an additional security layer between the client and the server.

Collapse Expand
risafj profile image
Risa
I'm a software engineer working in Tokyo, Japan. Try my expense tracker app for couples! 👉 http://warikani.page.link/app
  • Location
    Japan
  • Work
    Software Developer at Atrae, Inc.
  • Joined
• Edited on • Edited

Thanks for a great intro to this topic!

Collapse Expand
sentisso profile image
SenTisso
  • Joined
• Edited on • Edited

Please... for the love of god, never store the JWT in localStorage nor sessionStorage. It is vulnerable to XSS and a ton of other stuff. Store it in a secure cookie and let the server handle it without any client manipulation.
Anyway this is a great explanation!

Collapse Expand
doncitytech profile image
Princewill Opara
Hi! I’m a Front-End Web Developer and have passion for Web Technologies.
  • Location
    Port Harcourt, Nigeria
  • Work
    Web Developer at Self Employed
  • Joined

I love the simplicity, thanks

Collapse Expand
saucekode profile image
Chiamaka Mbah
Smart and intentional woman
  • Email
  • Location
    Lagos,Nigeria
  • Work
    Backend Engineer, Digicore
  • Joined

Hey! This is the best explanation. Thank you!

Collapse Expand
aderchox profile image
aderchox
Web developer. Lover of Typescript. Also comfortable with a bunch of other shiny languages and "big-brain tech tools" to flex about at parties! ( ́・・)ノ(._.`)
  • Joined

how do we know the jwt received is right if we don't store it on the server side ? Do we encrypt it with our own private keys and decrypt them back afterwards?

Collapse Expand
chandelieraxel profile image
Chandelier Axel
Software developer passionate about JS - Working with React, Node, Mongo and Typescript
  • Location
    France
  • Work
    Freelance software developer
  • Joined

Hey ! Pretty much, yes. Basically, once the server create the JWT, it'll "sign" it with a secured secret (an overcomplicated string, most likely). When your client send the JWT with the request, the server will "verify" the token, using the secret key you used to sign it.

Collapse Expand
jsonlisky profile image
jsonlisky
  • Joined

What is the validity period of the token and how to ensure it is active

Collapse Expand
dominuskelvin profile image
Kelvin Omereshone
I'm a software engineera and technical writer. I am currently working on Sailscasts - a platform to learn server-side JavaScript by creating real-world screencasts
  • Education
    Self Taught
  • Pronouns
    He/Him
  • Work
    JavaScript Engineer & Developer Advocate, Treblle
  • Joined

Hey, you get to set the validity when implementing the token on your server.

Collapse Expand
sujithvsuresh profile image
Sujith V S
React | Django | ..
  • Joined

great

Collapse Expand
turdialiyev profile image
G'olibjon
  • Joined

prefect bro

View full discussion (18 comments)

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink.

For further actions, you may consider blocking this person and/or reporting abuse

DEV Community

We're a place where coders share, stay up-to-date and grow their careers.

Log in Create account

AltStyle によって変換されたページ (->オリジナル) /