New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why the "single use" could solve MITM? #68
Comments
@NE-SmallTown good question. the question you have to answer is: how are you planning on ensuring that a token is not re-used? |
@nelsonic Thanks for your reply.I am a little confused. There is a question. As you say,the process is: user access the home page and send the token in the header(assuming they have logined)
server receive the token and then get the There is a question,we just use
If I am wrong,could you tell me how and where to use the token itself vertify mechanism like above? IMO, the only place I can use the token itself vertify mechanism is where I get the old token's exp parameter and put it to the new token so that I can check whether the token is out of date to make user relogin.
The client receive the new token and push it to the |
@nelsonic Hello? |
@NE-SmallTown my apologies for not replying immediately. @jbspeakr has a post on how to single-use JWTs, |
@nelsonic Thanks for you share the post. The post says:
I agree that these cases suit for single-use-jwt,but my case is the jwt include the user role information and the role is constant,it doesn't like the password-reset,email activation,account confirmation,etc. So,back to the question,in my case,now I think there is unnecessary to vertify the token,just use == operator with the database's token. |
The section about MITM(Man-in-the-MiddleAttack) says that "use one-time-use (single use) tokens (which expire after the link has been clicked)" is a solution of MITM.
My question is that if the token just use once,it will cause that the user must login again after every time the request be send.On the other hand,if the server destroy the token and return the new token every time,the new token still could be intercepted by the middleman.
If I am wrong,please let me know,thanks!
The text was updated successfully, but these errors were encountered: