Home > Enterprise >  Spring Security - Stolen JWT token
Spring Security - Stolen JWT token

Time:03-14

Using Spring Security and JWT:

  • Is there a way to invalidate the token if it's from a different device?
  • How am I supposed to know whether the token provided is a stolen one ? I can easily copy and paste the entire token and provide it

Thanks

CodePudding user response:

Im going to answer this as simple as possible without trying to have a full blown discussion.

Is there a way to invalidate the token if it's from a different device?

No. This is one of the major big reasons why you should not be using JWT's as sessions. They are issued, and then most often their integrity is validated by checking the signature and then, no more.

Session cookies have all their info stored server-side, which means you can invalidate a session, server side, and when someone presents the cookie you can say NO.

Tokens have a lifetime that you can check, but since most implementations are stateless, we have nothing to invalidate server side, so we can't invalidate the JWT. It has to "time out".

There are probably custom solutions etc out there but all major implementations work this way. Owasp talks about different solutions built in token revocation

This problem has been mentioned several times, but developers dont seem to care.

JWTs are dangerous for user sessions

Stop using JWT for sessions

Stop using JWT for sessions part 2

Why JWTs suck as session tokens

How am I supposed to know whether the token provided is a stolen one ? I can easily copy and paste the entire token and provide it

you can't. How do you know someone hijacked your facebook account? well you report it to facebook that it has been hacked. You can't know who is in possession of any token at any time just based on tokens alone.

Thats why we have certificates (TLS), we have other security measures like CORS, CSRF, ip whitelisting, usernames and passwords etc.

This is what is called Zero Trust If someone presents the token, you have trust that they are who they claim to be unless you want to start whitelisting IP-address (but they can be spoofed with vpns etc)

Security is difficult, and sadly you have now understood the difficulty with it.

Token stealing is a thing, you must instead focus on making sure no one can steal the token.

Page link:https//www.codepudding.com/Enterprise/333729.html

Prev:how can i fetch random images from Astronomy photo of the day api in Javascript website
Next:Can I use mTLS for authentication instead of Open ID Connect?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding