I have this question for long time that is JWT is really secure ? Cause in point of encoding the claims and payload we can easily decode the token and this decoding is given nicely in there website also. So my point is any one can simply change the auth header using tools like burpsuite or any thing and give some other valid token and authenticate the fake user . Storing the token in localStorage as recommended by many , can be less secure too . So my question is it is really secure compare to a encrypted cookies or session ? What are the benifits of stateless authentication.? I read many articles that JWT are good for Single Page App . Is it true?
1 Answers
2
votes
Access tokens are normally issued after the caller presents their hard credentials (such as username and password). To access protected resources, the caller is expected to send the access token to the server to perform authentication for each request.
In Web applications, access tokens shouldn't be accessed by JavaScript neither stored in the local storage. Instead, access tokens should be sent over a HTTPS connection and stored in a cookie with the Secure and HttpOnly flags set:
The
Secureattribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)). [...]
4.1.2.6. The HttpOnly Attribute
The
HttpOnlyattribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts). [...]
In JWT, the payload is a JSON string encoded as Base64. So it's not suitable for storing sensitive details such as passwords.
Signed tokens allow the server to perform stateless authentication, that is, tell who the user is by just checking the access token content. The server won't depend on external services to authenticate the user.
JWT tokens should be signed with a strong cryptographic key (that must be kept secure on the server) and the signature must be checked before trusting the token.
