Thanks for this article. I have a few points though:
To make the best of a secret key, an idea is to make unique secret keys for each authentication
If we do this, then the user will have to do a db call each time token verification is required. Which beats the point of using JWTs in the first place. Instead, I recommend to use the same key for all users, and do keep changing that key over time as explained in this article: supertokens.io/blog/the-best-way-t...
tokens in Cookies or localStorage can be retrieved by an XSS attack.
If we use httpOnly cookies, any javascript running on the client side cannot read those cookies, thereby minimising the risk of XSS.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Thanks for this article. I have a few points though:
If we do this, then the user will have to do a db call each time token verification is required. Which beats the point of using JWTs in the first place. Instead, I recommend to use the same key for all users, and do keep changing that key over time as explained in this article: supertokens.io/blog/the-best-way-t...
If we use httpOnly cookies, any javascript running on the client side cannot read those cookies, thereby minimising the risk of XSS.