Geek Answers Handbook

Invalid client-side JWT session

I read a lot about JWT and how to create stateless sessions through JWT. The bottom line, as I understand it, is that because of the signature and expiration, you can essentially send the entire session that will be saved by the client, and the server does not need to support db to remember the session.

What I don’t understand is what happens if your user needs to log out or you need to cancel the session before the expiration date?

Technically, you can tell the browser to remove it from the client, but you cannot be sure that this really happened. The token itself is technically still valid, and if your removal instructions were not followed, it can still be used.

Is this understanding correct? If so, isn't that a huge mistake in managing a client-side session? Are there any methods to overcome this, except that the server keeps the session or shortens the expiration time?

+9
authentication session stateless session-state jwt json-web-token
source share
3 answers

There are several reasons to invalidate the JWT token before it expires: the account has been deleted / locked / suspended, the password has been changed, access rights have been changed, the user has logged out of the system as an administrator. So, your question on the topic

There are several methods of application or combination, depending on your use.

1) Remove the client token from the local storage

2) Blacklist of tokens: Save tokens that were between the output and the expiration time, expired and check it in each request. Use a unique identifier jti or specify the last login date and have written out in iat to remove old tokens

Server storage required. If you do not expect too many tokens to be canceled, you can also use the blacklist in memory. You only need to set the record after updating the critical data for the user and currentTime - maxExpiryTime < lastLoginDate (iat)β€Œ A record can be discarded if currentTime - maxExpiryTime > lastModified (no more tokens have been specified). In this case, it is not necessary to store the entire token. Just sub , iat and maybe iat

3) The expiration time is short and rotate them. Issue a new access token every few requests. Use refresh tokens so that your application can receive new access tokens without requiring re-authentication and merging with sliding-sessions

Slide sessions are sessions that expire after a period of inactivity. When the user performs an action, a new access token is issued. If the user uses an expired token, the session is considered inactive and a new access token is required. This new token can be obtained using an update token or by requiring credentials.

Other common methods

  • Allow changing the unique user ID if the account is compromised with a new username and password.

  • To invalidate tokens when a user changes his password, sign a token with a hash of your password. If the password is changed, all previous tokens are not automatically verified. Extend this mechanism with another sign of interest. The disadvantage is that it requires access to the database

  • Change signature algorithm to revoke all current tokens in major security issues

Take a look at Invalid JSON Web Tokens

+14
source share

I did my homework and it seems that the best approach to implementing the recall is to use jti (id on Jtw) and a blacklist of the revoked identifier (which will be cleared when the token has expired). This will make JTW stateful for only part of the blacklist.

+2
source share

Blacklists are a JWT stateless violation. There are many authentication schemes that you can use. JWT is based on statelessness, so it should be used in this way. On the other hand, this is a very common authentication scheme, and if you need to implement it, and if you want your application (API) to be really secure, you need to allow some configuration.

I personally use these two methods in my projects (separately or in combination, depending on performance needs):

  1. Tokens Magazine. I register every token issued in my project with an identifier, applications, expiration and check it with every request. If the token has expired, it will be moved from this log to the archive. The drop in performance is not so terrible.

  2. I also add to the statements, in addition to the username, a hash of the user's secret (something like an automatically generated hidden token or password), which will be authorized in the next step when loading the user from dbo. This does not have a significant decrease in performance, because the request for the user is executed anyway. The disadvantage is that you cannot invalidate a specific token, only the entire user session.

0
source share

More articles:


All Articles