New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevention against replay attacks #36
Comments
Hey Alberto, The JWT spec provides the Nevertheless, in general you don't get stuff from local storage everyday (but it is possible of course). For example a XSS attack against your site would be able to retrieve credentials from local storage. There are two alternatives that you could use to avoid someone having infinite tokens if they steal one:
If a token gets stolen you blacklist it (or the nth token that has been issued after it) and wait for it to expire. Once it does, the attacker won't be able to impersonate the user any more. |
Thanks @dschenkelman, I'll try to handle this in that direction (blacklist tokens and try to make my site XSS proof), if you have any literature I can look into, it would be very helpful 👍 |
Great. Glad we were let to help. Just FYI, this kind of question could be useful for others, so you could post at ask.auth0.com |
Super old thread, but in case someone else hops along here, SameOrigin HTTP-Only cookies over HSTS / HTTPS are useful when working with an API on the same domain |
Hello,
So this is the workflow I have at this moment for using JWT:
So far so good, everything works like a charm, but I have a reaaaaally big concern... what happens if someone grabs that token that I have saved on localstorage? and then creates the same request trhu, let's say, POSTMAN? That's going to:
So how possible is that someone is able to hack my localstorage/indexedDB/WebSQL?
Are my steps wrong?
What's the right way to implement a "nonce"? (I think I don't need this since I'm doing like a heartbeat, everytime I do a request with my token, I return a new one and the previous one gets blacklisted)
Thanks in advance
The text was updated successfully, but these errors were encountered: