Answer the question
In order to leave comments, you need to log in
I
I
Ibishka2020-09-18 13:24:40
Ibishka, 2020-09-18 13:24:40
What secret key to use in JWT?
Yes, they say to use one key, for example, qwerty for all users, but the problem is that if so, then if an attacker recognizes qwerty, then he will take over all user accounts, shouldn't the key be unique for all users, if so, for example, what to use?
3 answer(s)
@Ibishka
@mmmaaak
@inoise
R
Rsa97, 2020-09-18 @Ibishka
You can find out the key only by hacking the server. In this case, someone's knowledge of the key would be the least of the problems.
P
Pavel Shvedov, 2020-09-18 @mmmaaak
Generate a normal key, of adequate length and complexity, as far as I understand, this is just a salt used for hashing when generating a token, knowing it does not mean that you know all logins and passwords, it only means that without knowing this salt you cannot artificially generate a valid token
I
Ivan Shumov, 2020-09-18 @inoise
First, there are 2 main ways to generate signatures: HS (symmetric) and RS (asymmetric) tokens. Of course, you should use asymmetric ones for greater reliability.
Second, JWT is not about security. All information in the token is public and only the client decides how to treat it. You can always ask the server about the validity of this token.
Similar questions
M
MaxEpt2016-01-07 16:11:47
Connection protection. How to use JWT correctly? And do you need ssl?
0Reply
L
LinuxGod2020-06-09 14:01:13
How to check and validate authorization tokens on the client side?
1Reply
M
R
Raccoon2018-07-24 08:58:45
Should I create different tables to store JWTs (web and mobile API)?
2Reply
G
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question