Wouldn't it be better to have your backend perform browser analysis from headers and compare it with whats in the JWT? As generating this kind of uniqueID on the client means it will be sent to the server at one point and it can be highjacked the same way as the JWT?
You're right, but the header information aren't clear enough. The package contains a one time id function (id which will only live for 30 seconds), which will reduce the moments, where hijackers can steal the id. Sure, it isn't a perfect solution, but it is a more secure one and helps against Local Storage copiers 😆
I would have added or used a user agent middleware on the server side. Compiling user agent information in the JWT and then checking through the middle ware. and if the user agent + headers arent the same then dont process the request.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Wouldn't it be better to have your backend perform browser analysis from headers and compare it with whats in the JWT? As generating this kind of uniqueID on the client means it will be sent to the server at one point and it can be highjacked the same way as the JWT?
You're right, but the header information aren't clear enough. The package contains a one time id function (id which will only live for 30 seconds), which will reduce the moments, where hijackers can steal the id. Sure, it isn't a perfect solution, but it is a more secure one and helps against Local Storage copiers 😆
I would have added or used a user agent middleware on the server side. Compiling user agent information in the JWT and then checking through the middle ware. and if the user agent + headers arent the same then dont process the request.