Collaborate Disseminate
When a user signs in they receive a authorisation token that is then sent along with each subsequent request to authorise the user, and the token is refreshed every server call or once per minute. I heard about attacks where the tokens wer… Continue reading How to tie an authorisation token to a device?
While reading up on refresh tokens, I’ve come by some interesting comments in this answer:
Refresh tokens can be in the form of a JWT as well
After going through all the responses and doing some online research, I was unable to find any … Continue reading JWTs as refresh tokens, beside the JWT access token?
I am trying to understand how refresh tokens and access tokens works, and I ready several threads and documentations. It seems that I am not the only one confused around this topic.
Based on this thread: How does a refresh token help?, wha… Continue reading Security doubts around the refresh token and how it works
I’m currently running a single-instance SaaS application backend where multiple tenants’ data is stored in the same database, separated by tenant IDs. I’m looking to implement authentication that supports multiple tenants while ensuring da… Continue reading How to achieve multi-tenant Authentication in my SaaS application? [closed]
I am working on an app with separate front-end and backend. I need to create API routes which are protected by a JWT token.
On login/register the user gets back a JWT token(short lived) and refresh token(long lived). Refresh token is store… Continue reading PHP JWT token flow in Symfony
I am a developer responsible for mobile app and a couple of SPA web apps. Our customers are organizations ("tenants") with multiple users. Our authentication is built on OAuth2 (OpenID Connect).
We have recently had requests from… Continue reading Best Practices for how to implement in-app user account switching
I have recently been introduced to the Insecure Direct Object Reference vulnerability (https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html) with the example of an attacker copying a k… Continue reading Are all stateless authentication systems vulnerable to IDOR?
I wrote a login backend with express.js to provide authentication (through LDAP) and authorization (through a database of authorized users for each app on mysql). This backend generates jwt and sends them back in the form of an http only c… Continue reading Should I validate json web tokens on my app backend or login backend?
Websockets don’t support sending auth tokens during websocket handshake as part of HTTP headers, rather only via query parameters. This has a security risk of leaking these tokens in server logs. However, if we create these JWT tokens with… Continue reading Is it secure to send JWT tokens in url query parameters if we use nonce to make it a one time token?
I have an admin screen, once I access it, it asks for login credentials, then after I login, I get a token that is saved under local storage (see screenshot below)
Noting that I am using edge browser in private mode, when I opem a new tab… Continue reading Does saving the cookie or jwt token in the browser raise a security risk?