Where are JWT tokens stored on the server and other related questions









up vote
2
down vote

favorite












As the title suggests, where are JWT tokens stored on the server side? in database or in memeory? I understand the implementation can vary due to different requirements, but just in general where would you store it?



If I want to provide a very basic token authentication server, meaning upon receiving a username and password via a POST request, I would like to return a token. In this case, how is a token generated with a very basic algorithm work differently than a jwt token?



With a token generated by a simple algorithm:



  1. it does not contain payload

  2. its value is not computed based on the username and password, thus it cannot be rehashed back to anything meaningful

In this case, is there still value to use JWT?



Thanks!










share|improve this question























  • I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
    – Andru
    Jun 24 '16 at 15:50










  • @Andru nope....
    – Cheng
    Jun 25 '16 at 16:31














up vote
2
down vote

favorite












As the title suggests, where are JWT tokens stored on the server side? in database or in memeory? I understand the implementation can vary due to different requirements, but just in general where would you store it?



If I want to provide a very basic token authentication server, meaning upon receiving a username and password via a POST request, I would like to return a token. In this case, how is a token generated with a very basic algorithm work differently than a jwt token?



With a token generated by a simple algorithm:



  1. it does not contain payload

  2. its value is not computed based on the username and password, thus it cannot be rehashed back to anything meaningful

In this case, is there still value to use JWT?



Thanks!










share|improve this question























  • I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
    – Andru
    Jun 24 '16 at 15:50










  • @Andru nope....
    – Cheng
    Jun 25 '16 at 16:31












up vote
2
down vote

favorite









up vote
2
down vote

favorite











As the title suggests, where are JWT tokens stored on the server side? in database or in memeory? I understand the implementation can vary due to different requirements, but just in general where would you store it?



If I want to provide a very basic token authentication server, meaning upon receiving a username and password via a POST request, I would like to return a token. In this case, how is a token generated with a very basic algorithm work differently than a jwt token?



With a token generated by a simple algorithm:



  1. it does not contain payload

  2. its value is not computed based on the username and password, thus it cannot be rehashed back to anything meaningful

In this case, is there still value to use JWT?



Thanks!










share|improve this question















As the title suggests, where are JWT tokens stored on the server side? in database or in memeory? I understand the implementation can vary due to different requirements, but just in general where would you store it?



If I want to provide a very basic token authentication server, meaning upon receiving a username and password via a POST request, I would like to return a token. In this case, how is a token generated with a very basic algorithm work differently than a jwt token?



With a token generated by a simple algorithm:



  1. it does not contain payload

  2. its value is not computed based on the username and password, thus it cannot be rehashed back to anything meaningful

In this case, is there still value to use JWT?



Thanks!







security jwt






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 31 '15 at 7:20

























asked Oct 31 '15 at 4:25









Cheng

5,88663760




5,88663760











  • I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
    – Andru
    Jun 24 '16 at 15:50










  • @Andru nope....
    – Cheng
    Jun 25 '16 at 16:31
















  • I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
    – Andru
    Jun 24 '16 at 15:50










  • @Andru nope....
    – Cheng
    Jun 25 '16 at 16:31















I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
– Andru
Jun 24 '16 at 15:50




I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
– Andru
Jun 24 '16 at 15:50












@Andru nope....
– Cheng
Jun 25 '16 at 16:31




@Andru nope....
– Cheng
Jun 25 '16 at 16:31












3 Answers
3






active

oldest

votes

















up vote
1
down vote













client needs to store it, on server storage is not required.



JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.



Look at how a JWT is structured.






share|improve this answer



























    up vote
    0
    down vote













    Jwt token is not required to be stored but the "secret-key" needs to be stored.
    The structure of jwt is header.payload.signature where signature is generated as below by the server :



    signature = HS256(base64Header + '.' + base64Payload, 'mysecret')


    So in essense:

    1.header.payload.signature is sent to client on first sign in



    2.client return back header.payload.signature in subsequent api call
    3.server decodes it for verification as below:
    base64Header, base64Payload, signature = token.split('.')



    header = base64Decode(base64Header) 
    payload = base64Decode(base64Payload)

    serverComputedSignature = HS256(base64Header + '.' + base64Payload,
    'mysecret')

    if serverComputedSignature != signature:
    print('FAILED')





    share|improve this answer





























      up vote
      0
      down vote













      You don't need to store token on server side.
      You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
      Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
      Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.






      share|improve this answer




















        Your Answer






        StackExchange.ifUsing("editor", function ()
        StackExchange.using("externalEditor", function ()
        StackExchange.using("snippets", function ()
        StackExchange.snippets.init();
        );
        );
        , "code-snippets");

        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "1"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













         

        draft saved


        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f33448044%2fwhere-are-jwt-tokens-stored-on-the-server-and-other-related-questions%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes








        up vote
        1
        down vote













        client needs to store it, on server storage is not required.



        JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.



        Look at how a JWT is structured.






        share|improve this answer
























          up vote
          1
          down vote













          client needs to store it, on server storage is not required.



          JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.



          Look at how a JWT is structured.






          share|improve this answer






















            up vote
            1
            down vote










            up vote
            1
            down vote









            client needs to store it, on server storage is not required.



            JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.



            Look at how a JWT is structured.






            share|improve this answer












            client needs to store it, on server storage is not required.



            JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.



            Look at how a JWT is structured.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jun 6 at 8:38









            Vikash

            7462516




            7462516






















                up vote
                0
                down vote













                Jwt token is not required to be stored but the "secret-key" needs to be stored.
                The structure of jwt is header.payload.signature where signature is generated as below by the server :



                signature = HS256(base64Header + '.' + base64Payload, 'mysecret')


                So in essense:

                1.header.payload.signature is sent to client on first sign in



                2.client return back header.payload.signature in subsequent api call
                3.server decodes it for verification as below:
                base64Header, base64Payload, signature = token.split('.')



                header = base64Decode(base64Header) 
                payload = base64Decode(base64Payload)

                serverComputedSignature = HS256(base64Header + '.' + base64Payload,
                'mysecret')

                if serverComputedSignature != signature:
                print('FAILED')





                share|improve this answer


























                  up vote
                  0
                  down vote













                  Jwt token is not required to be stored but the "secret-key" needs to be stored.
                  The structure of jwt is header.payload.signature where signature is generated as below by the server :



                  signature = HS256(base64Header + '.' + base64Payload, 'mysecret')


                  So in essense:

                  1.header.payload.signature is sent to client on first sign in



                  2.client return back header.payload.signature in subsequent api call
                  3.server decodes it for verification as below:
                  base64Header, base64Payload, signature = token.split('.')



                  header = base64Decode(base64Header) 
                  payload = base64Decode(base64Payload)

                  serverComputedSignature = HS256(base64Header + '.' + base64Payload,
                  'mysecret')

                  if serverComputedSignature != signature:
                  print('FAILED')





                  share|improve this answer
























                    up vote
                    0
                    down vote










                    up vote
                    0
                    down vote









                    Jwt token is not required to be stored but the "secret-key" needs to be stored.
                    The structure of jwt is header.payload.signature where signature is generated as below by the server :



                    signature = HS256(base64Header + '.' + base64Payload, 'mysecret')


                    So in essense:

                    1.header.payload.signature is sent to client on first sign in



                    2.client return back header.payload.signature in subsequent api call
                    3.server decodes it for verification as below:
                    base64Header, base64Payload, signature = token.split('.')



                    header = base64Decode(base64Header) 
                    payload = base64Decode(base64Payload)

                    serverComputedSignature = HS256(base64Header + '.' + base64Payload,
                    'mysecret')

                    if serverComputedSignature != signature:
                    print('FAILED')





                    share|improve this answer














                    Jwt token is not required to be stored but the "secret-key" needs to be stored.
                    The structure of jwt is header.payload.signature where signature is generated as below by the server :



                    signature = HS256(base64Header + '.' + base64Payload, 'mysecret')


                    So in essense:

                    1.header.payload.signature is sent to client on first sign in



                    2.client return back header.payload.signature in subsequent api call
                    3.server decodes it for verification as below:
                    base64Header, base64Payload, signature = token.split('.')



                    header = base64Decode(base64Header) 
                    payload = base64Decode(base64Payload)

                    serverComputedSignature = HS256(base64Header + '.' + base64Payload,
                    'mysecret')

                    if serverComputedSignature != signature:
                    print('FAILED')






                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Nov 10 at 18:59

























                    answered Nov 10 at 18:48









                    Akash Jain

                    547




                    547




















                        up vote
                        0
                        down vote













                        You don't need to store token on server side.
                        You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
                        Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
                        Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.






                        share|improve this answer
























                          up vote
                          0
                          down vote













                          You don't need to store token on server side.
                          You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
                          Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
                          Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.






                          share|improve this answer






















                            up vote
                            0
                            down vote










                            up vote
                            0
                            down vote









                            You don't need to store token on server side.
                            You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
                            Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
                            Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.






                            share|improve this answer












                            You don't need to store token on server side.
                            You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
                            Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
                            Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Nov 10 at 19:01









                            Anuranjan Srivastav

                            768




                            768



























                                 

                                draft saved


                                draft discarded















































                                 


                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f33448044%2fwhere-are-jwt-tokens-stored-on-the-server-and-other-related-questions%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                這個網誌中的熱門文章

                                How to read a connectionString WITH PROVIDER in .NET Core?

                                Node.js Script on GitHub Pages or Amazon S3

                                Museum of Modern and Contemporary Art of Trento and Rovereto