Security regarding JWT .NET 8
Hi everyone, I'm working on authentication and I want to make a "remember me" feature making the JWT valid for 30 days. But if this token is shared I'll have two people using the same account right? How can I make it more safe? refresh token? or should I save the users token and IP in the database and any other IP using that token is not valid?
I'm just wondering what is the safer approach when it comes to authentication and authorization, if anyone knows any playlist to watch or blogs to read regarding this subject so I can learn more about it and make my work better, I would like it very much, thanks!
10 Replies
you'd generally use a short-lived JWT with a refresh token that has longer validity
the issue with having a JWT with a long validity is that if the token is compromised, the attacker will be able to use it for a much longer period
you could tie tokens to IP addresses but you may have issues with users being assigned different IPs which would then effectively lock them out
But if the token is compromised and two people have the token, how can I know which one to refresh the token and make the other one invalid? (I'm a begginer, I don't really know if I'm asking a dumb question)
you wouldn't invalidate the JWT. only the holder of the refresh token would be able to get a new one when it expires.
so say your JWT lasts for 10 minutes. worst case scenario an attacker gets hold of it the second it is issued. they would be able to act as that user for 10 minutes only.
Thank you very much, I'll study about it and try to implement.
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
I'm using Identity already and the sign up and sign in process are doing fine even with email confirmation, but I'm having trouble figuring out how to manage the tokens, because if the user pass his token to a friend, two people will use the app right?
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
do you know any youtube videos or playlists where I can learn how to handle jwt with identity? or any source of information would be good
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
thank you for the help, I'm going to try it