Using Jwts as session tokens is bad practice, also storing the jwt in localstorage makes it available to all js available on page, please never do this in production.
Yes, if it's used on production, then we should take steps to secure it like providing expiry date and do hashing. There should be a way to verify that a token is autnetic on server side.
Also, we shouldn't store sensitive data with JWTs.
Never use jwts as sessions. Even with a expiry, you can not invalidate it on the serversidr, and if you have to keep track in the backend, its not stateless anymore. So theres no reason not to go with cookies or plain old sessions.
The most concerning thing here is the localstorage, i used this myself in several apps, but recently i understood the security issues being introduced and fixed it immediatly. Jwts are good for server2server authentication, when several criterias are met, as you said (for example expiriy date, signing and so on)
✌️
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Using Jwts as session tokens is bad practice, also storing the jwt in localstorage makes it available to all js available on page, please never do this in production.
Yes, if it's used on production, then we should take steps to secure it like providing expiry date and do hashing. There should be a way to verify that a token is autnetic on server side.
Also, we shouldn't store sensitive data with JWTs.
See stackoverflow.com/questions/273015... for more info.
Never use jwts as sessions. Even with a expiry, you can not invalidate it on the serversidr, and if you have to keep track in the backend, its not stateless anymore. So theres no reason not to go with cookies or plain old sessions.
The most concerning thing here is the localstorage, i used this myself in several apps, but recently i understood the security issues being introduced and fixed it immediatly. Jwts are good for server2server authentication, when several criterias are met, as you said (for example expiriy date, signing and so on)
✌️