All geek questions in one place

Is it safe to store sensitive data in the JWT payload?

I am currently studying a JWT implementation with PHP and want to use JWT tokens instead of sessions for my RESTful application.

While creating a signature, I do something like this

token = base64Header + '.' + base64Payload + '.' + signature

Here we just use the base64 payload. If I embed sites like https://jwt.io/#debugger , the payload is decrypted (even if the signature is incorrect).

My questions,

  • Is JWT only to verify the signature with the server when sending data?
  • Is it insecure to store sensitive data in a payload?
  • If you are unsure of security, is there any way to protect the payload?

Below is an example of the code I wrote

 <?php $headers = base64_encode(json_encode([ "typ" => "JWT", "alg" => "HS256" ])); $claims = base64_encode(json_encode([ "sub" => "1234567890", "name" => "John Doe", "admin" => true, "jti" => "870a3de5-ea7b-4062-abef-11180e530f5a", "iat" => 1492603378, "exp" => 1492606978 ])); $payload = $headers.".".$claims; $signature = base64_encode(hash_hmac("sha256", $payload, 'secret', true)); $encodedJWT = $payload.".".$signature; // eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImp0aSI6Ijg3MGEzZGU1LWVhN2ItNDA2Mi1hYmVmLTExMTgwZTUzMGY1YSIsImlhdCI6MTQ5MjYwMzM3OCwiZXhwIjoxNDkyNjA2OTc4fQ.nvw-bAUgr7H_xr3q8_Yz8rCNtMohtn2YlCmcLoLBWlc
+5
source share
3 answers

If I embed pages such as https://jwt.io/#debugger , the payload is decrypted (even if the signature is incorrect).

Third parties cannot verify the signature because they do not have a secret key. The payload is not decrypted - it is decoded.

Ideally, you should not store sensitive data in the payload, since the payload is only base64 encoded and not encrypted. This means that anyone who holds the token can view the contents of the payload simply by decrypting it with base64.

If you have a token in the local storage of a web browser, and your site has an XSS vulnerability, it makes it trivial to steal the token. It’s bad enough that the attacker has a valid JWT (which I hope will expire soon), but if it contains confidential data, then you have real problems. Imagine that you need to notify all users of your site that they must now change various bits of sensitive data about themselves due to potential mass compromise.

Keep JWT light. Save the user ID, their roles / grants related to the system. If you feel that you need to add important data to the payload, try and rethink your solution.

+5
source

As I understand it, you are trying to have a full stateless server, so you want to store even sensitive data in a token.

But your server cannot be completely stateless. Because to exit the system you must have a black list or a white list in order to invalidate the token. Therefore, in each request, you must touch the database . Unless you have a blacklist or white list, the tokens are still valid, even when the user logs out.

So, it is better to get sensitive data from the database, since you have to touch your db for each request.

+1
source
  • Is JWT only to verify the signature with the server when sending data?

No, there is not only a signed JWT (JWS-RFC 7515) , but also an encrypted JWT (JWE - RFC 7516) .

  1. Is it insecure to store sensitive data in a payload?

When the JWT is encrypted, you can safely share sensitive data (unless the algorithm or key is compromised).

But in your example, I do not see any sensitive data, so I wonder if it is really important to use JWE in your case. I highly recommend you read this blog post about JWT and sessions and why you shouldn't use them for this purpose (also take a look at part 2 ).

If you really want to use JWE, I wrote a PHP library that can already load and create any kind of Jose (JWS / JWE) and supports almost all the algorithms from RFC 7518 out of the box. Other libraries may exist, but the list of links is missing ( https://jwt.io/ lists only JWS implementations).

+1
source

Source: https://habr.com/ru/post/1266913/

More articles:


All Articles