Reputation: 161
does data in jsonwebtoken are un rewritable
I'm using jsonwebtoken on my node js server and inside the jsonwebtoken i store the role of the user.
So everytime he do a request i just have to check if the required role is given in the token. But do people can change this role ? I know everyone can see it but i guess no one can change it without my secret, right ?
Off course i m always checking the jsonwebtoken is correctly signed. Do you think this method seems good ? Sorry, english is not my main language
Upvotes: 0
Views: 24
Answers (2)
Reputation: 3264
if you change the jwt data and then hash it with a different signature then you server will know its a fake token.
also make sure you use https so your tokens wont be available to sniffs.
if you store your token in a cookie make sure you put your cookie with http-only to prevent cookie highjack
also i recommend you to use csrf token to prevent csrf attacks
Upvotes: 1
Reputation: 2567
I guess you store the jwt in a Cookie or in LocalStorage on the client side.
So ofc, the user can delete or alter the cookie but he can't read it without your secret.
So if he tries to update the token, it will probably become corrupted and unreadable from your server side.
If the token is corrupted you'll probably want to log-out the user and redirect him to the login page.
Upvotes: 0
Related Questions
- JSON web token - password in the payload?
- Refresh Token Jsonwebtoken
- Json Web Token security [ Node JS ]
- Working on token authentication system and have a couple of questions about jsonwebtoken
- JsonWebToken publicly readable?
- Role value in JWT payload
- How to deal with roles on a MVC nodejs service (jsonwebtoken,mongoose)
- `jsonwebtoken` - `decode` not readable in `Nodejs` api
- authentication with jsonwebtokens in node.js
- JSON Web Token (JWT) Security