What is more secure, JWT in HTTP sessions or JWT in client's request header?HTTP GET request in JavaScript?HTTP GET with request bodyHow to use java.net.URLConnection to fire and handle HTTP requestsCustom HTTP headers : naming conventionsHow is an HTTP POST request made in node.js?How are parameters sent in an HTTP POST request?JSON Web Token (JWT) benefits over a database session tokenJWT (JSON Web Token) automatic prolongation of expirationUnderstanding JWT and HTTP Authorization header? (client: Angular, server: php)Signing jwt token with refresh token as payload
What are good ways to improve as a writer other than writing courses?
Best way to explain to my boss that I cannot attend a team summit because it is on Rosh Hashana or any other Jewish Holiday
sytemctl status log output
How do I get the =LEFT function in excel, to also take the number zero as the first number?
Can ads on a page read my password?
polynomial, find the sum of the inverse roots of this equation.
Colleagues speaking another language and it impacts work
Is Odin inconsistent about the powers of Mjolnir?
Why couldn't soldiers sight their own weapons without officers' orders?
Can a character take on additional backgrounds, or at least their benefits?
Would the Elder Wand have been able to destroy a Horcrux?
Does the Voyager team use a wrapper (Fortran(77?) to Python) to transmit current commands?
Why is there a need to prevent a racist, sexist, or otherwise bigoted vendor from discriminating who they sell to?
Why do private jets such as Gulfstream fly higher than other civilian jets?
Capacitors with a "/" on schematic
Our group keeps dying during the Lost Mine of Phandelver campaign. What are we doing wrong?
How does The Fools Guild make its money?
What word can be used to describe a bug in a movie?
How to avoid ci-driven development..?
Is it true that control+alt+delete only became a thing because IBM would not build Bill Gates a computer with a task manager button?
Is it double speak?
How would I as a DM create a smart phone-like spell/device my players could use
How symbol § is called in German?
What are these mathematical groups in U.S. universities?
What is more secure, JWT in HTTP sessions or JWT in client's request header?
HTTP GET request in JavaScript?HTTP GET with request bodyHow to use java.net.URLConnection to fire and handle HTTP requestsCustom HTTP headers : naming conventionsHow is an HTTP POST request made in node.js?How are parameters sent in an HTTP POST request?JSON Web Token (JWT) benefits over a database session tokenJWT (JSON Web Token) automatic prolongation of expirationUnderstanding JWT and HTTP Authorization header? (client: Angular, server: php)Signing jwt token with refresh token as payload
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am trying to implement JWT based authentication system in one of my project and I have stuck between two option where I need some clarifications. I have come up with two approaches for implementing JWT as follows:
Approach 1
- Client sends credentials for login
- Server verifies the credentials
- Server Generates two tokens, auth-token and refresh-token
- Server stores these token into it's redis-server as [key]=refresh-token and [value]=auth-token
- Since HTTP connections are always alive between client and server, the Server sets the auth-token into the http-sessions and send refresh-token in response.
- Client stores the refresh-token into local browser storage and use it whenever the http connection is closed between client and server to regain authentication.
- Also, with the help of refresh-token we can refresh the auth-token easily without logging out the user.
Approach 2
- Client sends credentials for login
- Server verifies the credentials
- Server generates auth-token and sends in response to the client
- Client set the token in the request header for each request it makes to server
node.js http jwt httpsession express-jwt
asked Mar 27 at 6:03
DDDDDD
174 bronze badges
add a comment |
I am trying to implement JWT based authentication system in one of my project and I have stuck between two option where I need some clarifications. I have come up with two approaches for implementing JWT as follows:
Approach 1
- Client sends credentials for login
- Server verifies the credentials
- Server Generates two tokens, auth-token and refresh-token
- Server stores these token into it's redis-server as [key]=refresh-token and [value]=auth-token
- Since HTTP connections are always alive between client and server, the Server sets the auth-token into the http-sessions and send refresh-token in response.
- Client stores the refresh-token into local browser storage and use it whenever the http connection is closed between client and server to regain authentication.
- Also, with the help of refresh-token we can refresh the auth-token easily without logging out the user.
Approach 2
- Client sends credentials for login
- Server verifies the credentials
- Server generates auth-token and sends in response to the client
- Client set the token in the request header for each request it makes to server
node.js http jwt httpsession express-jwt
asked Mar 27 at 6:03
DDDDDD
174 bronze badges
add a comment |
I am trying to implement JWT based authentication system in one of my project and I have stuck between two option where I need some clarifications. I have come up with two approaches for implementing JWT as follows:
Approach 1
- Client sends credentials for login
- Server verifies the credentials
- Server Generates two tokens, auth-token and refresh-token
- Server stores these token into it's redis-server as [key]=refresh-token and [value]=auth-token
- Since HTTP connections are always alive between client and server, the Server sets the auth-token into the http-sessions and send refresh-token in response.
- Client stores the refresh-token into local browser storage and use it whenever the http connection is closed between client and server to regain authentication.
- Also, with the help of refresh-token we can refresh the auth-token easily without logging out the user.
Approach 2
- Client sends credentials for login
- Server verifies the credentials
- Server generates auth-token and sends in response to the client
- Client set the token in the request header for each request it makes to server
node.js http jwt httpsession express-jwt
asked Mar 27 at 6:03
DDDDDD
174 bronze badges
I am trying to implement JWT based authentication system in one of my project and I have stuck between two option where I need some clarifications. I have come up with two approaches for implementing JWT as follows:
Approach 1
- Client sends credentials for login
- Server verifies the credentials
- Server Generates two tokens, auth-token and refresh-token
- Server stores these token into it's redis-server as [key]=refresh-token and [value]=auth-token
- Since HTTP connections are always alive between client and server, the Server sets the auth-token into the http-sessions and send refresh-token in response.
- Client stores the refresh-token into local browser storage and use it whenever the http connection is closed between client and server to regain authentication.
- Also, with the help of refresh-token we can refresh the auth-token easily without logging out the user.
Approach 2
- Client sends credentials for login
- Server verifies the credentials
- Server generates auth-token and sends in response to the client
- Client set the token in the request header for each request it makes to server
node.js http jwt httpsession express-jwt
node.js http jwt httpsession express-jwt
asked Mar 27 at 6:03
DDDDDD
174 bronze badges
asked Mar 27 at 6:03
DDDDDD
174 bronze badges
asked Mar 27 at 6:03
DDDDDD
174 bronze badges
asked Mar 27 at 6:03
DDDDDD
174 bronze badges
asked Mar 27 at 6:03
DDDDDD
174 bronze badges
174 bronze badges
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
This is a good explanation https://auth0.com/learn/refresh-tokens/
Refresh Tokens are long-lived. This means when a client gets one from
a server, this token must be stored securely to keep it from being
used by potential attackers, for this reason, it is not safe to store
them in the browser. If a Refresh Token is leaked, it may be used to
obtain new Access Tokens (and access protected resources) until it is
blacklisted. Refresh Tokens must be issued to a single authenticated
client to prevent the use of leaked tokens by other parties. Access
Tokens must also be kept secret, but due to its shorter life, security
considerations are less critical.
Also a sessions may be hijacking or fixation done.
If you using SSL all the headers is encrypted.
So I'll prefer a native JWT mechanism and 'll pay attention to the storage of the auth token on client side.
answered Mar 27 at 6:23
SiZESiZE
1,7831 gold badge8 silver badges17 bronze badges
add a comment |
Here are some of my clarifications,
- Storing sessions on browser side that are long lived is always risky
- Let the server do the JOB of verifying token sent by third party or application. This is make sure the token that is being sent is intact and valid.
- I will prefer approach for always sending token in headers over HTTPS. This make easy and more secured because server is going to validate your token w.r.t to user session.
answered Mar 27 at 6:34
SohanSohan
2,1991 gold badge22 silver badges45 bronze badges
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55370753%2fwhat-is-more-secure-jwt-in-http-sessions-or-jwt-in-clients-request-header%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is a good explanation https://auth0.com/learn/refresh-tokens/
Refresh Tokens are long-lived. This means when a client gets one from
a server, this token must be stored securely to keep it from being
used by potential attackers, for this reason, it is not safe to store
them in the browser. If a Refresh Token is leaked, it may be used to
obtain new Access Tokens (and access protected resources) until it is
blacklisted. Refresh Tokens must be issued to a single authenticated
client to prevent the use of leaked tokens by other parties. Access
Tokens must also be kept secret, but due to its shorter life, security
considerations are less critical.
Also a sessions may be hijacking or fixation done.
If you using SSL all the headers is encrypted.
So I'll prefer a native JWT mechanism and 'll pay attention to the storage of the auth token on client side.
answered Mar 27 at 6:23
SiZESiZE
1,7831 gold badge8 silver badges17 bronze badges
add a comment |
This is a good explanation https://auth0.com/learn/refresh-tokens/
Refresh Tokens are long-lived. This means when a client gets one from
a server, this token must be stored securely to keep it from being
used by potential attackers, for this reason, it is not safe to store
them in the browser. If a Refresh Token is leaked, it may be used to
obtain new Access Tokens (and access protected resources) until it is
blacklisted. Refresh Tokens must be issued to a single authenticated
client to prevent the use of leaked tokens by other parties. Access
Tokens must also be kept secret, but due to its shorter life, security
considerations are less critical.
Also a sessions may be hijacking or fixation done.
If you using SSL all the headers is encrypted.
So I'll prefer a native JWT mechanism and 'll pay attention to the storage of the auth token on client side.
answered Mar 27 at 6:23
SiZESiZE
1,7831 gold badge8 silver badges17 bronze badges
add a comment |
This is a good explanation https://auth0.com/learn/refresh-tokens/
Refresh Tokens are long-lived. This means when a client gets one from
a server, this token must be stored securely to keep it from being
used by potential attackers, for this reason, it is not safe to store
them in the browser. If a Refresh Token is leaked, it may be used to
obtain new Access Tokens (and access protected resources) until it is
blacklisted. Refresh Tokens must be issued to a single authenticated
client to prevent the use of leaked tokens by other parties. Access
Tokens must also be kept secret, but due to its shorter life, security
considerations are less critical.
Also a sessions may be hijacking or fixation done.
If you using SSL all the headers is encrypted.
So I'll prefer a native JWT mechanism and 'll pay attention to the storage of the auth token on client side.
answered Mar 27 at 6:23
SiZESiZE
1,7831 gold badge8 silver badges17 bronze badges
This is a good explanation https://auth0.com/learn/refresh-tokens/
Refresh Tokens are long-lived. This means when a client gets one from
a server, this token must be stored securely to keep it from being
used by potential attackers, for this reason, it is not safe to store
them in the browser. If a Refresh Token is leaked, it may be used to
obtain new Access Tokens (and access protected resources) until it is
blacklisted. Refresh Tokens must be issued to a single authenticated
client to prevent the use of leaked tokens by other parties. Access
Tokens must also be kept secret, but due to its shorter life, security
considerations are less critical.
Also a sessions may be hijacking or fixation done.
If you using SSL all the headers is encrypted.
So I'll prefer a native JWT mechanism and 'll pay attention to the storage of the auth token on client side.
answered Mar 27 at 6:23
SiZESiZE
1,7831 gold badge8 silver badges17 bronze badges
answered Mar 27 at 6:23
SiZESiZE
1,7831 gold badge8 silver badges17 bronze badges
answered Mar 27 at 6:23
SiZESiZE
1,7831 gold badge8 silver badges17 bronze badges
answered Mar 27 at 6:23
SiZESiZE
1,7831 gold badge8 silver badges17 bronze badges
1,7831 gold badge8 silver badges17 bronze badges
add a comment |
add a comment |
Here are some of my clarifications,
- Storing sessions on browser side that are long lived is always risky
- Let the server do the JOB of verifying token sent by third party or application. This is make sure the token that is being sent is intact and valid.
- I will prefer approach for always sending token in headers over HTTPS. This make easy and more secured because server is going to validate your token w.r.t to user session.
answered Mar 27 at 6:34
SohanSohan
2,1991 gold badge22 silver badges45 bronze badges
add a comment |
Here are some of my clarifications,
- Storing sessions on browser side that are long lived is always risky
- Let the server do the JOB of verifying token sent by third party or application. This is make sure the token that is being sent is intact and valid.
- I will prefer approach for always sending token in headers over HTTPS. This make easy and more secured because server is going to validate your token w.r.t to user session.
answered Mar 27 at 6:34
SohanSohan
2,1991 gold badge22 silver badges45 bronze badges
add a comment |
Here are some of my clarifications,
- Storing sessions on browser side that are long lived is always risky
- Let the server do the JOB of verifying token sent by third party or application. This is make sure the token that is being sent is intact and valid.
- I will prefer approach for always sending token in headers over HTTPS. This make easy and more secured because server is going to validate your token w.r.t to user session.
answered Mar 27 at 6:34
SohanSohan
2,1991 gold badge22 silver badges45 bronze badges
Here are some of my clarifications,
- Storing sessions on browser side that are long lived is always risky
- Let the server do the JOB of verifying token sent by third party or application. This is make sure the token that is being sent is intact and valid.
- I will prefer approach for always sending token in headers over HTTPS. This make easy and more secured because server is going to validate your token w.r.t to user session.
answered Mar 27 at 6:34
SohanSohan
2,1991 gold badge22 silver badges45 bronze badges
answered Mar 27 at 6:34
SohanSohan
2,1991 gold badge22 silver badges45 bronze badges
answered Mar 27 at 6:34
SohanSohan
2,1991 gold badge22 silver badges45 bronze badges
answered Mar 27 at 6:34
SohanSohan
2,1991 gold badge22 silver badges45 bronze badges
2,1991 gold badge22 silver badges45 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55370753%2fwhat-is-more-secure-jwt-in-http-sessions-or-jwt-in-clients-request-header%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
