Hello guys, I cannot get it exactly how the things are going on with JWT.So, for example, user is registering his account, he enter username and password and on the backend we handle him token as a response. Before we send this response, we SIGN a token with SECRET and we send the data we wanted inside that token.But the problem is that anyone can copy the token and go to the JWT website, paste it and see what's inside (why have we signed it?!). OK, i know we should not store sensitive data inside a token, but how do SERVER know that toke which is being sent from the client is not stolen? How does that verification process going on on the server? I know there is VERIFY function of the JWT with that secret again, but what if the token is stolen? I am not sending anything from the client beside a token which can be decoded by anyone.So I am concerned about how the server knows if the right user is sending a JWT? Thanks. :)
Submitted February 10, 2018 at 04:15PM by nikola1970
No comments:
Post a Comment