Session_ID in JWT
In my app I use JWT so I can verify that the token has not been tampered with, however the only information I store in it is the user's session_id. Nothing else, no user data, just the session id.
Should I be just using a cookie or something similar?
Thankyou!
46 Replies
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
That's true
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
And I can just encrypt the sessionId with some type of device-specific data to stop the cookie from being stolen, no?
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
is this a way to help prevent a cookie being stolen?
I'd be encrypting it just like I encrypt passwords/emails/etc in db
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
That's just the first thing I thought of that's device-specific, is there any way to grab device-specific data reliably?
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Hmm
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
I actually am using discord oAuth but yeah I hash access and refresh token iirc
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
let me grab my encryption code
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Ah ok
Should I be hashing this data?
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
This app isn't even close to prod so it's not a big deal to add it if it's going to increase security
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
ahhhh
That makes sense
Encryption is nuked if my env file gets leaked lmao
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Ok, that makes sense!
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
👍
The only issue
Oh wait
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
it doesn't matter if they steal the user's sessionID because we proxy the discord API and cahce results so even if they spam to their hearts content they won't ever abuse discord's API
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Discord bot dashboard
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
More so on the level of our bot getting banned
That was my concern, because even though it's a user's access token, discord links it to the bot so if you give your user their access token and someone steals it to abuse with, then our bot gets flagged and blocked for abuse even though it was the user's access token
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
We need
identify email guilds guilds.join guilds.members.read
email less so but for later on we want it
Currently the email is ignoredUnknown User•3y ago
Message Not Public
Sign In & Join Server To View
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
npm
jsonwebtoken
JSON Web Token implementation (symmetric and asymmetric). Latest version: 8.5.1, last published: 4 years ago. Start using jsonwebtoken in your project by running
npm i jsonwebtoken
. There are 21668 other projects in the npm registry using jsonwebtoken.it doesn't have an s idk why I thought it did
I have couldnt find out how to change that output
Does this have anything to do with what this thread is about? lmao
I thought there is
If I'm wrong please correct me
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Pondwater's first answer is pretty similar that I have asked
sorry for bother
You're fine, just wasn't sure if it was related to this and I wasn't seeing how