Reputation: 35
JWT token restriction
I have authenticated JWT token and it's in session storage.
Machine 1 logged in as normal user Machine 2 logged in as admin
If i replace machine 1 jwt token into machine 2 in session storage and if i do further api call the server should say unauthorised access.
Upvotes: 2
Views: 1066
Answers (2)
Reputation: 984
Given your specific requirements, you can try the usual stuff of browser fingerprinting or IP address change. But in an answer you said that the IP addresses can be the same + fingerprinting is very easily spoofed. For this, I suggest you implement rotating refresh tokens. This will guarantee token theft detection if the token is used on two different devices - in fact, even two different processes in the same device! This however requires careful implementation. See this blog for more details
Upvotes: 1
Reputation: 7112
Industry best practice at the moment is to implement the access/refresh tokens pairs.
You can follow the next tutorials on how you can implement it
This will reduce drastically the possibility of someone to steal the access token and trying to use it on other machines.
Upvotes: 2
Related Questions
- JWT Token Not Specific to User
- JWT authentication - Prevent JWT token from being stolen
- Validate a jwt in angular?
- Token Validation - Angular
- JWT Authorization in Angular 5
- Angular 5 Authentication
- ExpressJS / Angular 2 JWT Tokens
- How to JWT Authorization in Angular 2.0
- AngularJs & Tokens
- Handling JWT in angularjs Authentication