0

I'm creating a sort of 'social network'. Now I'm creating the authentication part. Today I learned about JSON Web Tokens.

1) I read that JWT's are safe to use, because the are signed with a secret key. But then I found some tools online like https://jwt.io. I tried to build some JWT tokens with PHP using firebase/php-jwt. The tools like jwt.io can extract the data I put in the JWT (like user ID). How can this be safe? Can't someone just create a new JWT using the old one but with a different user ID?

An example: I created the following token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJNeUFQIiwiaWF0IjoxNTE2NTYzMTM0LCJleHAiOjE1MTY1NjQzNDAsImF1ZCI6Ind3dy5leGFtcGxlLmNvbSIsInN1YiI6ImFkbWluQGV4YW1wbGUuY29tIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOiJmYWxzZSJ9.dCtYVpFXhoQmzOdX_dW1yFHEcZ9aZ1I9MC33lJGapvY

If you paste this token in jwt.io, you'll see the payload is "name: John Doe" and "admin: false". Isn't this unsafe? Or is it safe because you NEED the secret key to recreate a JWT.

Off the record: You cannot store senstive information in a JWT I guess...

2) How to "login" a user using PHP and JWT's? I created a quick demo, I'm not sure the code "works" but I guess you'll see what I mean.

if (isset($_POST['submit'])) {

    $user = $_POST['user'];

    $pass = $_POST['pass'];

    if($user = 'my_username' && $password == 'my_password') {

        // user is logged in

        // create a JWT here

    } else {

        // wrong credentials!

    }

}

Now, the question/problem is: how to store this token? In a cookie? In a session? Using HTML5's localStorage? What is the safest way to do this?

And secondly: how to authenticate the user? I would do it like this:

// my secret key
$secret = 'MY_SECRET_KEY';

// decode the token
$token = JWT::decode($token, $secret, array('HS256'));

// what to do here?

Can you match this token with some data in a database or something?

Improve this question
1
  • If someone modifies the data in the token, the signature (the third part of the token) will be invalid. It's up to you to authenticate what you get from the client to make sure that the data and the signature matches. Since this is the main feature when using JWT, I would recommend that you read up a bit more about them. Here's a pretty good article Commented Jan 21, 2018 at 19:50

1 Answer 1

Reset to default
2

1) The JWT token is not encrypted, so the data inside it can be easily read. However, it contains a signature that can be validated only with the secret key you have set when creating the token. You can check the signature to see that the token has not been tampered with.

2) The token can be stored anywhere, since it's so small. Just remember that the token can be easily read, but not altered. Don't store any sensitive data in the tokens.

When checking the token, the important things to check are the signature and the exp time to see that the token is still valid. A well-constructed token doesn't need full database validation, but rather just check that the user's privileges haven't been changed since issuing the token, and if they have, recreate the token with the updated data or force the user to log in again.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Please note that JWT can be encrypted (see RFC7516). Also, you should mention that the alg header member and the iss, sub and aud claims are as important as the exp claim.
Also, the statement that the signature can be verified only with the private key used for creating is wrong. The public key is sufficient for that purpose.
@Stanimir Stoyanov I haven’t made any statements about RSA or ECDSA encryptions, which have the private and public keys. In that case you’d be right, the public key can be used to verify the signature. In this case he is using HS256, which only has the secret key.
@onik you're right, I've overlooked the fact that the OP is using HS256.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.