I am currently storing a jwt token inside my cookie.
A couple of questions arise. Can the client edit the content/data inside my jwt token? In this case i am storing a non-sensitive username but I figured that any user could in theory edit that jwt token data? In any case if they do, with jwt can you verify if the token has been tampered with and will this always be full proof?
Second question, does httpOnly on a cookie make it so that the content of the cookie cannot be edited or is it simply making it non accessible to javascript?
CodePudding user response:
An important thing to remember in web development is that everything that happens in the browser is in the user's control. And I really mean everything.
If the user presses F12 in most modern browsers, they will get a debug console with all sorts of things to fiddle with. If the feature they want isn't there, there is absolutely nothing stopping them making their own browser that does something differently - or, more likely, sending requests to your server that look like they've come from a browser, but which were actually generated by some much simpler script.
So, onto your questions:
- JWT includes a mechanism to cryptographically sign your token. The principle is that it is mathematically difficult (really, really difficult) to generate a correct signature if you don't know the correct private key. If you implement the signing and verification correctly (which generally means using a well-known implementation written by someone who knows all the pitfalls) you can be confident that you would spot someone sending an edited token, because the signature would be wrong.
- Attributes such as HttpOnly are not to protect you from malicious users, they are to protect the user from malicious software. They tell well-behaved browsers what kinds of interaction should be possible with the cookie, so that the user - who is ultimately in control of the cookie - isn't tricked into doing something dangerous.