Reputation: 309
Handle stolen JWT?
I'm building a nodejs server with jwt authentication.
At the moment my jwts have a expiration time of 1 month. If the user goes on the loggin page, I check if his request contains a valid jwt, if yes, he don't have to type in his username and password. If he logs out, the jwt gets deleted on the clientside, so the user have to log in next time with his credentials.
What if an attacker listens to the connection (I'm already using ssl) and gets the token. Even if the user logs out and gets a new token on his next session, the attacker can impersonate the user with the old token, as long as it is valid right?
Is it a good idea to store the IAT of the "current" token of the user in the DB and compare it to the IAT of the token in the request to avoid the access of the attacker?
I know, 1 month is quite a long time for a jwt. I also had the idea to generate a new token, every time the client logs in (with exp. time 2 days). But if an attacker gets only 1 valid token, he also gets the new tokens, isn't he?
Do you have any suggestions?
Thanks, Cheers!
Upvotes: 1
Views: 1062
Answers (2)
Reputation: 6629
Your concerns are exactly one of the reasons that security people advise against using JWTs for session data -- see section "You cannot invalidate individual JWT tokens". In other words, the only way to invalidate JWT tokens is to force a database lookup when it is presented -- but that defeats the entire point of the JWT in the first place (most people use them because they are trying to avoid a database lookup on the server).
Upvotes: 2
Reputation: 99
Store the tokens and any session data (for example user ID for the logged in user) on the server. This gives you full control of the data, and the sessions. It also removes a lot of avenues for abuse (which the JWT standard allows).
When doing that, if you know a token is stolen, you can simply mark it as invalid on your server, and have your application ignore it.
In practice, this means just having a token in the cookie, and having the user ID and other session data stored in a database table or server side cache (for example a mysql table or redis cache).
Upvotes: -1
Related Questions
- How to add extra layer of jwt security when the token is stolen
- Opinion on a particular strategy for JWT authorization?
- How is JWT token authenticated?
- JWT authentication - Prevent JWT token from being stolen
- Properly authenticating users and preventing attacks with jwt
- How to protect against session attacks using JWT?
- How to handle JWT token on the client site in Node.js application?
- Concerned about JWT security
- Node & Token Based Security
- What happens when an attacker gains access to the secret used to generate JWTs?