DEV Community

Discussion on: Secure JSON Web Token with Unique Browser IDs

Collapse
alexanderschau profile image
Alexander Schau Author

You're right, but the header information aren't clear enough. The package contains a one time id function (id which will only live for 30 seconds), which will reduce the moments, where hijackers can steal the id. Sure, it isn't a perfect solution, but it is a more secure one and helps against Local Storage copiers 😆

Collapse
crimsonmed profile image
Médéric Burlet

I would have added or used a user agent middleware on the server side. Compiling user agent information in the JWT and then checking through the middle ware. and if the user agent + headers arent the same then dont process the request.

Collapse
kaiquegarcia profile image
Kaique Garcia

The real problem here isn't about someone steal the id, but discover how to generate those ids based on how your client-side script's working. Then he/she could do everything generating someone else id's to each fake request.

That's why things should be generated on server-side: to keep the secret key... secret. Hehe.