0

Our team has been asked to prevent JWT hijacking in our API. Our solution has been to store a "fingerprint" of the user's IP and user agent in our database and validate that on each request. When the user logs out, we delete the fingerprint.

There are some problems with this:

  • users often don't logout
  • users IPs change

If a user doesn't logout, their fingerprint will remain. When they come back to the application, if their IP has changed, they won't be able to login, because it appears they are a hijacker.

What is the best approach to implement this kind of fingerprinting? Should we not be using the user IP?

Improve this question
1
  • So if your users don't log out then you should implement a timeout that limits the open window for that token to be live. Login should generate a new token handshake so your fingerprint would renew with new values, it shouldn't prevent login as that is the time you are authenticating your user. Is there somethign to prevent you from standard timeouts? Commented Nov 14, 2024 at 16:14

1 Answer 1

Reset to default
0

Use cookies. When user logs in, send cookie with proper domain with name lets say "auth-cookie". It will contain your jwt token. These cookies will be automatically sent back to you everytime user sends a request. Set httpOnly field to true so that hijacker cannot read the token using javascript. On logout, set the "auth-cookie" cookie to blank.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.