DEV Community

Discussion on: Secure JSON Web Token with Unique Browser IDs

Collapse
 
crimsonmed profile image
Médéric Burlet

Wouldn't it be better to have your backend perform browser analysis from headers and compare it with whats in the JWT? As generating this kind of uniqueID on the client means it will be sent to the server at one point and it can be highjacked the same way as the JWT?

Collapse
 
alexanderschau profile image
Alexander Schau

You're right, but the header information aren't clear enough. The package contains a one time id function (id which will only live for 30 seconds), which will reduce the moments, where hijackers can steal the id. Sure, it isn't a perfect solution, but it is a more secure one and helps against Local Storage copiers 😆

Collapse
 
crimsonmed profile image
Médéric Burlet

I would have added or used a user agent middleware on the server side. Compiling user agent information in the JWT and then checking through the middle ware. and if the user agent + headers arent the same then dont process the request.