Session_ID in JWT

In my app I use JWT so I can verify that the token has not been tampered with, however the only information I store in it is the user's session_id. Nothing else, no user data, just the session id. Should I be just using a cookie or something similar? Thankyou!
46 Replies
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
That's true
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
And I can just encrypt the sessionId with some type of device-specific data to stop the cookie from being stolen, no?
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
- User signs in, server recieves
- User
- pass
- device mac addr or something
- encrypt `${session_id}-${user_mac_address}` and return to client as cookie

- every req to server would contain the user's mac addr or whatever device-specific data and checks whether it matches the encrypted value
- User signs in, server recieves
- User
- pass
- device mac addr or something
- encrypt `${session_id}-${user_mac_address}` and return to client as cookie

- every req to server would contain the user's mac addr or whatever device-specific data and checks whether it matches the encrypted value
is this a way to help prevent a cookie being stolen? I'd be encrypting it just like I encrypt passwords/emails/etc in db
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
That's just the first thing I thought of that's device-specific, is there any way to grab device-specific data reliably?
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
I actually am using discord oAuth but yeah I hash access and refresh token iirc
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
let me grab my encryption code
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
import { BoringCrypto, SymmetricKey } from "ciphersweet-js";

let brng = new BoringCrypto();
let key = new SymmetricKey(env.ENCRYPTION_KEY);

...

const hashedAccessToken = await brng.encrypt(access_token, key);
const hashedRefreshToken = await brng.encrypt(refresh_token, key);
import { BoringCrypto, SymmetricKey } from "ciphersweet-js";

let brng = new BoringCrypto();
let key = new SymmetricKey(env.ENCRYPTION_KEY);

...

const hashedAccessToken = await brng.encrypt(access_token, key);
const hashedRefreshToken = await brng.encrypt(refresh_token, key);
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
Ah ok Should I be hashing this data?
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
This app isn't even close to prod so it's not a big deal to add it if it's going to increase security
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
ahhhh That makes sense Encryption is nuked if my env file gets leaked lmao
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
Ok, that makes sense!
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
👍 The only issue Oh wait
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
it doesn't matter if they steal the user's sessionID because we proxy the discord API and cahce results so even if they spam to their hearts content they won't ever abuse discord's API
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
Discord bot dashboard
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
More so on the level of our bot getting banned That was my concern, because even though it's a user's access token, discord links it to the bot so if you give your user their access token and someone steals it to abuse with, then our bot gets flagged and blocked for abuse even though it was the user's access token
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
We need identify email guilds guilds.join guilds.members.read email less so but for later on we want it Currently the email is ignored
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
I use jsonwebtokens (https://npmjs.com/package/jsonwebtokens) presently
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Hycord | @ When Replying
npm
jsonwebtoken
JSON Web Token implementation (symmetric and asymmetric). Latest version: 8.5.1, last published: 4 years ago. Start using jsonwebtoken in your project by running npm i jsonwebtoken. There are 21668 other projects in the npm registry using jsonwebtoken.
Hycord | @ When Replying
it doesn't have an s idk why I thought it did
Çağlar
Çağlar3y ago
I have couldnt find out how to change that output
Hycord | @ When Replying
Does this have anything to do with what this thread is about? lmao
Çağlar
Çağlar3y ago
I thought there is
Hycord | @ When Replying
If I'm wrong please correct me
Unknown User
Unknown User3y ago
Message Not Public
Sign In & Join Server To View
Çağlar
Çağlar3y ago
Pondwater's first answer is pretty similar that I have asked sorry for bother
Hycord | @ When Replying
You're fine, just wasn't sure if it was related to this and I wasn't seeing how
Want results from more Discord servers?
Add your server