search

Home  >  Q&A  >  body text

java - jwt token security issues.

Systems A and B are separated from the front and back ends.
(Two systemsCross-domain)
Now a page in system A jumps to system B.
Now I use it to jump to system B. There is an encrypted token (including user ID) in the address bar to help it log in automatically.
The product information and discounts for this user displayed on this page.

At this time, if I know someone else's token, then modify the address bar. The page becomes someone else's information.

At this time, I didn’t even know other people’s account passwords, and then I got some of other people’s user information.

高洛峰高洛峰2725 days ago1180

reply all(4)I'll reply

  • 过去多啦不再A梦

    过去多啦不再A梦2017-07-03 11:45:27

    Encrypt https, the HTTP protocol itself is not safe, it is plain text.
    These guys are right, I am wrong

    reply
    0
  • 曾经蜡笔没有小新

    曾经蜡笔没有小新2017-07-03 11:45:27

    1. The simplest method is also a safer method. When station b helps him log in, the box will pop up again. Let him confirm his password!

    2. There is a token called csrf or. random number method. It's worth having. The csrf token limits such cross-domain attacks

    3. The JWT verification token must be placed in the header. You may consider authorization authentication

    reply
    0
  • 高洛峰

    高洛峰2017-07-03 11:45:27

    First of all, the emergence of token is to solve the problem of user verification. Since there are two systems, automatic login should be avoided. This is very unsafe.
    But since you have such a need, you can only avoid it as much as possible. Here is a solution: try to avoid sensitive information in the token. Secondly, when authorizing cross-system tokens, set the authorization of this token to one-time and compress the validity of the token. The time is such that the token is only valid for 30 minutes. In fact, you can refer to the fact that many third-party logins such as Weibo and other authorized tokens only contain a small amount of information such as nicknames and avatars.

    reply
    0
  • PHP中文网

    PHP中文网2017-07-03 11:45:27

    Is this a real scene?

    If you can get someone else's token, it is equivalent to eavesdropping on his password. This is not a JWT security issue.

    The measure related to JWT itself is to add an expiration time to force the JWT to expire after a certain period of time.

    According to the JWT specification, it is best to put JWT in the request header Authorization, not in the URL.

    HTTPS works.

    reply
    0
  • Cancelreply