2

I have implemented user authentication using JWT in my Asp.Net Web API application. It's working fine whenever a user logs in, an access token is generated and returned to the client and the client sends back with every request to access the secured resource. But if I copy the same access token and prepare a request from any other client (like Postman) using the same access token it gives the access to the protected resource. I think it's a normal behavior. But is there any better solution to get rid of this i.e. don't allow any other client even if using the same access token. So that to make it client specific as well.

Improve this question

2 Answers 2

Reset to default
1

If you don't want any other intruder to copy your access token and access the protected resource, then you must use SSL.

To protect extremely sensitive data, you should keep the token lifetime to a very short window of time. If you are protecting something less sensitive, you could make the lifetime longer. The longer the token if valid, the larger the window of time a attacker will have to impersonate the authenticated user if the user's machine is compromised.

You can check this great answer to learn a few things

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You should be passing in a username and password to obtain the token in the first place. That password is the private key that provides security to make sure no one else can obtain a token for that user. As long as your traffic is over https(ssl) then that token is protected in transit and no one else should be able to intercept it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.