How to protect user from jwt token theft in laravel?

F

frontendo2017-06-30 22:16:24

JSON Web Token

frontendo, 2017-06-30 22:16:24

The lara has an implementation of jwt-auth. It provides for the expiration of the token and its refresh jwt.refresh. But what if the token was stolen by an attacker and exchanged for a new one before the expiration date or after (if the user is inactive). Thus, the user can no longer update his old token (since the attacker updated it) and will receive the token again by entering a login and password. And the thief will freely use the account, periodically updating the token. How to solve such a problem? Or is it already resolved?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

dskozin, 2017-07-06
@dskozin

Hello!
Is the question real (i.e. have you encountered such a situation) or hypothetical?
As far as I understand, the authorization process is approximately as follows:
1. The user enters a login and password - he is given a
token1 by token1 get token2, while no functions other than refresh become available.
3. User uses token2
If an attacker steals token1 and makes a refresh, he gets token2, which he uses for bad purposes. At the same time, he can make further refreshes after the expiration of the tokens.
But! A real user, having passed the authorization procedure, will receive a token3, which (if) the attacker does not know, and therefore cannot receive a refresh.
That is, as far as I understand, an attacker can use the token only until a new authorization of the real user (or until the real user makes a refresh).