undefined | Better HN

0 pointsgrassfedgeek2d ago0 comments

JWT can be short-lived, for example 1 hour. Then on each request if the token is nearing expiration you decide whether to extend it or not, and if so return a replacement JWT with extended expiration. With a short-lived JWT you don't need to invalidate the JWT.

> just put the JWT in an httpOnly cookie

You can have two cookies, one that is signed and httpOnly, and another that is unsigned and readable by JavaScript. Both contain the same information. So JavaScript can read the information in the second cookie, but since it is unsigned, exfiltrating the cookie doesn't compromise security.

0 comments

nathanmills2d ago

Let's say a friend sends you an exe file, a game they made. You run it, and immediately realize it wasn't actually your friend. The attacker has stolen your JWT session cookie. The attacker hasn't done anything yet - they are configuring their browser cookies to match yours. You go to invalidate your session / change your password, but it doesn't help. The attacker has a full hour to do whatever they want on your account. They use it to send the same malicious exe from your account. If you would've been able to invalidate the session, you could've stopped it.

grassfedgeekOP2d ago

> and immediately realize

That's a narrow scenario isn't it, if you have to "immediately" realize?

jeroenhd2d ago

The pattern described is a common Discord account theft method and it has proven very effective at locking people out of their accounts.

1 more reply

nathanmills2d ago

No, it's called an example. I refuse to provide an example for every possible scenario, as that would not fit in the Hacker News comment limit.

amarant2d ago

Add a client IP field to the JWT. Token is only valid if the request comes from the associated IP. Done.

nathanmills2d ago

Geez, I need to re-sign in every time my mobile data switches IP?? IPs are NOT static. Mobile networks change IPs CONSTANTLY. What if I use a VPN (I do) and my IP changes constantly? What if an IOT device on your network is serving as a public residential proxy that anyone can use (more common than you may think), or hell, you have CGNAT and your neighbor does? What if an entire country only goes through one IP[1]? Have you done this in practice?

[1] https://en.wikipedia.org/wiki/User:82.148.97.69

1 more reply

znpy1d ago

> Let's say a friend sends you an exe file, a game they made.

1995 called, they want their lame hacking tecniques back

CodeLieutenant2d ago

Still the same problem, if your account is compromised, you cannot invalidate the session, same for web, same for native app. You need to store it so that it can be blacklisted.

j / k navigate · click thread line to collapse

0 comments

nathanmills2d ago

grassfedgeekOP2d ago

> and immediately realize

That's a narrow scenario isn't it, if you have to "immediately" realize?

jeroenhd2d ago

The pattern described is a common Discord account theft method and it has proven very effective at locking people out of their accounts.

1 more reply

nathanmills2d ago

No, it's called an example. I refuse to provide an example for every possible scenario, as that would not fit in the Hacker News comment limit.

amarant2d ago

Add a client IP field to the JWT. Token is only valid if the request comes from the associated IP. Done.

nathanmills2d ago

[1] https://en.wikipedia.org/wiki/User:82.148.97.69

1 more reply

znpy1d ago

> Let's say a friend sends you an exe file, a game they made.

1995 called, they want their lame hacking tecniques back

CodeLieutenant2d ago

Still the same problem, if your account is compromised, you cannot invalidate the session, same for web, same for native app. You need to store it so that it can be blacklisted.

j / k navigate · click thread line to collapse