How to check if user has already assign JWT token or not?

0
votes

I am new to JWT(Json web token). I have a question in JWT about identifying user with token(already login one time) and with out token(first time login).

Is it like that if I pass only username and password at every time of login and server will create new JWT for me? If this is true than isn't it be vulnerable for user if some one get access to his/her username password and try to login with different PC or browser.(as JWT is always store on cookies or local storage)

1
jwt

1 Answers

0
votes

Following your schema, if an attacker stoles user credentials (username/password), then, he could login in the system and get valid JWT tokens.

If the attacker stoles the JWT, also could login in the system before expiration time, and use the provided services (for example change password if it is available)

Then the security question is: protect the credentials and protect the token.

  • Mainly use HTTPS
  • Set expiration time short and rotate tokens
  • Use "secure" storage for tokens
  • Be aware that changing passwords or permissions could invalidate tokens before expiration time. Maybe you need a blacklist