Collaborate Disseminate
As far as I know, JWT tokens are used for implementing ‘stateless server’. But as I try to apply Jwt to my website that uses sessions and cookies for authentication, I found that most people store refresh tokens in their db and compare the… Continue reading Why do I have to store a refresh token in db
In an effort to avoid having to deal with CSRF attacks, I’m trying to implement an auth flow that completely avoids using cookies. In most cases this makes one vulnerable to XSS attacks. However, according to this auth0 blog post, it can b… Continue reading Security implications of access and refresh tokens (JWT) with refresh token rotation and automatic reuse detection
I’m testing a site that authenticates using an HS-256 signed JWT. However the json payload inside the JWT is about 2500 characters. This has become an impediment to trying to crack the signing key. My question is what efficient tooling exi… Continue reading Cracking HS-256 signed JWTs with large payloads
I’m currently working on a personal project including a RESTful API and also trying to understand how to make it as secure as possible. I have read a bit about JWT, the possible vulnerabilities as well as some suggestions on how to mitiga… Continue reading Mitigating CSRF and XSS with JWT authentication: can someone tell me where my logic is wrong
When storing a JWT for authentication in a web application, my first instinct would be to store it as a "hardened cookie", meaning all the required flags such as "HttpOnly" and "Secure" being set. This would s… Continue reading Is there a reason not to store a JWT as hardened cookie?
I’m currently performing a code audit for an application that a company will release to the public as open-source in the next few days.
In this application, they use a JWT token for authentication and on the backend, you can clearly see th… Continue reading Use of JWT Token in open source project
As the title suggests, I would like to expose a couple of read-only endpoints without requiring a key or token. The endpoints will allow the user to request their data for the purposes of displaying it on their website.
The reason I am con… Continue reading Can I safely expose a read-only RESTful API with no key or token?
I’m using JWT for authentication and I use HTTPS. For every request that is made to the server has a header with bearer Token which has an access token. To retrieve my user info Page I have coded my backend with the access Token that is be… Continue reading How to verify the reliability of the request (impersonation)?
I’m trying to create a mobile app which helps to connect with my mobile app. While going through authentication I used JWT. While authenticating it, it returns access token and refresh token to the client but if both of them are sniffed so… Continue reading How to send JWT Access token with requests without being sniffed?
I’m trying to create a mobile app which helps to connect with my mobile app. While going through authentication I used JWT. While authenticating it, it returns access token and refresh token to the client but if both of them are sniffed so… Continue reading How to send JWT Access token with requests without being sniffed?