I read some posts about “JWT vs Cookie” but they only made me more confused… I want some clarification, when people talking about “token-based authentication vs cookies”, cookies here merely refer to session cookies? My understanding is that cookie is like a medium, it can be used to implement a token-based authentication(store something that can … Read more
I’m testing an implementation of JWT Token based security based off the following article. I have successfully received a token from the test server. I can’t figure out how to have the Chrome POSTMAN REST Client program send the token in the header. My questions are as follows: 1) Am I using the right header … Read more
I’m building a mobile app and am using JWT for authentication. It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want. What does a refresh token look like? Is it a random … Read more
What is the advantage of using JWTs over sessions in situations like authentication? Is it used as a standalone approach or is it used in the session? 5 Answers 5
I know cookie-based authentication. SSL and HttpOnly flags can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit complicated. (reference) Recently, I discover that JSON Web Token (JWT) is quite hot as a … Read more
I’m currently building a single page application using ReactJS. I read that one of the reasons for not using localStorage is because of XSS vulnerabilities. Since React escapes all user input, would it now be safe to use localStorage? 10 Answers 10
I am trying to implement stateless authentication with JWT for my RESTful APIs. AFAIK, JWT is basically an encrypted string passed as HTTP headers during a REST call. But what if there’s an eavesdropper who see the request and steals the token? Then he will be able to fake request with my identity? Actually, this … Read more
I’m trying to support JWT bearer token (JSON Web Token) in my web API application and I’m getting lost. I see support for .NET Core and for OWIN applications. I’m currently hosting my application in IIS. How can I achieve this authentication module in my application? Is there any way I can use the <authentication> … Read more
I’m using Auth0 to handle authentication in my web app. I’m using ASP.NET Core v1.0.0 and Angular 2 rc5 and I don’t know much about authentication/security in general. In the Auth0 docs for ASP.NET Core Web Api, there are two choices for the JWT algorithm being RS256 and HS256. This may be a dumb question … Read more
How can I decode the payload of JWT using JavaScript? Without a library. So the token just returns a payload object that can consumed by my front-end app. Example token: xxxxxxxxx.XXXXXXXX.xxxxxxxx And the result is the payload: {exp: 10012016 name: john doe, scope:[‘admin’]} 20 Answers 20
