Where are JWT tokens stored on the server and other related questions
up vote
2
down vote
favorite
As the title suggests, where are JWT tokens stored on the server side? in database or in memeory? I understand the implementation can vary due to different requirements, but just in general where would you store it?
If I want to provide a very basic token authentication server, meaning upon receiving a username and password via a POST request, I would like to return a token. In this case, how is a token generated with a very basic algorithm work differently than a jwt token?
With a token generated by a simple algorithm:
- it does not contain payload
- its value is not computed based on the username and password, thus it cannot be rehashed back to anything meaningful
In this case, is there still value to use JWT?
Thanks!
security jwt
asked Oct 31 '15 at 4:25
Cheng
5,88663760
add a comment |
up vote
2
down vote
favorite
As the title suggests, where are JWT tokens stored on the server side? in database or in memeory? I understand the implementation can vary due to different requirements, but just in general where would you store it?
If I want to provide a very basic token authentication server, meaning upon receiving a username and password via a POST request, I would like to return a token. In this case, how is a token generated with a very basic algorithm work differently than a jwt token?
With a token generated by a simple algorithm:
- it does not contain payload
- its value is not computed based on the username and password, thus it cannot be rehashed back to anything meaningful
In this case, is there still value to use JWT?
Thanks!
security jwt
asked Oct 31 '15 at 4:25
Cheng
5,88663760
I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
– Andru
Jun 24 '16 at 15:50
@Andru nope....
– Cheng
Jun 25 '16 at 16:31
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
As the title suggests, where are JWT tokens stored on the server side? in database or in memeory? I understand the implementation can vary due to different requirements, but just in general where would you store it?
If I want to provide a very basic token authentication server, meaning upon receiving a username and password via a POST request, I would like to return a token. In this case, how is a token generated with a very basic algorithm work differently than a jwt token?
With a token generated by a simple algorithm:
- it does not contain payload
- its value is not computed based on the username and password, thus it cannot be rehashed back to anything meaningful
In this case, is there still value to use JWT?
Thanks!
security jwt
asked Oct 31 '15 at 4:25
Cheng
5,88663760
As the title suggests, where are JWT tokens stored on the server side? in database or in memeory? I understand the implementation can vary due to different requirements, but just in general where would you store it?
If I want to provide a very basic token authentication server, meaning upon receiving a username and password via a POST request, I would like to return a token. In this case, how is a token generated with a very basic algorithm work differently than a jwt token?
With a token generated by a simple algorithm:
- it does not contain payload
- its value is not computed based on the username and password, thus it cannot be rehashed back to anything meaningful
In this case, is there still value to use JWT?
Thanks!
security jwt
security jwt
asked Oct 31 '15 at 4:25
Cheng
5,88663760
asked Oct 31 '15 at 4:25
Cheng
5,88663760
edited Oct 31 '15 at 7:20
asked Oct 31 '15 at 4:25
Cheng
5,88663760
asked Oct 31 '15 at 4:25
Cheng
5,88663760
asked Oct 31 '15 at 4:25
Cheng
5,88663760
5,88663760
I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
– Andru
Jun 24 '16 at 15:50
@Andru nope....
– Cheng
Jun 25 '16 at 16:31
add a comment |
I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
– Andru
Jun 24 '16 at 15:50
@Andru nope....
– Cheng
Jun 25 '16 at 16:31
I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
– Andru
Jun 24 '16 at 15:50
I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
– Andru
Jun 24 '16 at 15:50
@Andru nope....
– Cheng
Jun 25 '16 at 16:31
@Andru nope....
– Cheng
Jun 25 '16 at 16:31
add a comment |
3 Answers
3
active
oldest
votes
up vote
1
down vote
client needs to store it, on server storage is not required.
JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.
Look at how a JWT is structured.
answered Jun 6 at 8:38
Vikash
7462516
add a comment |
up vote
0
down vote
Jwt token is not required to be stored but the "secret-key" needs to be stored.
The structure of jwt is header.payload.signature where signature is generated as below by the server :
signature = HS256(base64Header + '.' + base64Payload, 'mysecret')
So in essense:
1.header.payload.signature is sent to client on first sign in
2.client return back header.payload.signature in subsequent api call
3.server decodes it for verification as below:
base64Header, base64Payload, signature = token.split('.')
header = base64Decode(base64Header)
payload = base64Decode(base64Payload)
serverComputedSignature = HS256(base64Header + '.' + base64Payload,
'mysecret')
if serverComputedSignature != signature:
print('FAILED')
answered Nov 10 at 18:48
Akash Jain
547
add a comment |
up vote
0
down vote
You don't need to store token on server side.
You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.
answered Nov 10 at 19:01
Anuranjan Srivastav
768
add a comment |
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
client needs to store it, on server storage is not required.
JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.
Look at how a JWT is structured.
answered Jun 6 at 8:38
Vikash
7462516
add a comment |
up vote
1
down vote
client needs to store it, on server storage is not required.
JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.
Look at how a JWT is structured.
answered Jun 6 at 8:38
Vikash
7462516
add a comment |
up vote
1
down vote
up vote
1
down vote
client needs to store it, on server storage is not required.
JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.
Look at how a JWT is structured.
answered Jun 6 at 8:38
Vikash
7462516
client needs to store it, on server storage is not required.
JWT have all the claims in itself and is signed by the server as well. On receipt, server checks for the signature and reads the claims. It does not match it against a stored value. That is the whole point of using JWT against access tokens.
Look at how a JWT is structured.
answered Jun 6 at 8:38
Vikash
7462516
answered Jun 6 at 8:38
Vikash
7462516
answered Jun 6 at 8:38
Vikash
7462516
answered Jun 6 at 8:38
Vikash
7462516
7462516
add a comment |
add a comment |
up vote
0
down vote
Jwt token is not required to be stored but the "secret-key" needs to be stored.
The structure of jwt is header.payload.signature where signature is generated as below by the server :
signature = HS256(base64Header + '.' + base64Payload, 'mysecret')
So in essense:
1.header.payload.signature is sent to client on first sign in
2.client return back header.payload.signature in subsequent api call
3.server decodes it for verification as below:
base64Header, base64Payload, signature = token.split('.')
header = base64Decode(base64Header)
payload = base64Decode(base64Payload)
serverComputedSignature = HS256(base64Header + '.' + base64Payload,
'mysecret')
if serverComputedSignature != signature:
print('FAILED')
answered Nov 10 at 18:48
Akash Jain
547
add a comment |
up vote
0
down vote
Jwt token is not required to be stored but the "secret-key" needs to be stored.
The structure of jwt is header.payload.signature where signature is generated as below by the server :
signature = HS256(base64Header + '.' + base64Payload, 'mysecret')
So in essense:
1.header.payload.signature is sent to client on first sign in
2.client return back header.payload.signature in subsequent api call
3.server decodes it for verification as below:
base64Header, base64Payload, signature = token.split('.')
header = base64Decode(base64Header)
payload = base64Decode(base64Payload)
serverComputedSignature = HS256(base64Header + '.' + base64Payload,
'mysecret')
if serverComputedSignature != signature:
print('FAILED')
answered Nov 10 at 18:48
Akash Jain
547
add a comment |
up vote
0
down vote
up vote
0
down vote
Jwt token is not required to be stored but the "secret-key" needs to be stored.
The structure of jwt is header.payload.signature where signature is generated as below by the server :
signature = HS256(base64Header + '.' + base64Payload, 'mysecret')
So in essense:
1.header.payload.signature is sent to client on first sign in
2.client return back header.payload.signature in subsequent api call
3.server decodes it for verification as below:
base64Header, base64Payload, signature = token.split('.')
header = base64Decode(base64Header)
payload = base64Decode(base64Payload)
serverComputedSignature = HS256(base64Header + '.' + base64Payload,
'mysecret')
if serverComputedSignature != signature:
print('FAILED')
answered Nov 10 at 18:48
Akash Jain
547
Jwt token is not required to be stored but the "secret-key" needs to be stored.
The structure of jwt is header.payload.signature where signature is generated as below by the server :
signature = HS256(base64Header + '.' + base64Payload, 'mysecret')
So in essense:
1.header.payload.signature is sent to client on first sign in
2.client return back header.payload.signature in subsequent api call
3.server decodes it for verification as below:
base64Header, base64Payload, signature = token.split('.')
header = base64Decode(base64Header)
payload = base64Decode(base64Payload)
serverComputedSignature = HS256(base64Header + '.' + base64Payload,
'mysecret')
if serverComputedSignature != signature:
print('FAILED')
answered Nov 10 at 18:48
Akash Jain
547
edited Nov 10 at 18:59
answered Nov 10 at 18:48
Akash Jain
547
answered Nov 10 at 18:48
Akash Jain
547
answered Nov 10 at 18:48
Akash Jain
547
547
add a comment |
add a comment |
up vote
0
down vote
You don't need to store token on server side.
You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.
answered Nov 10 at 19:01
Anuranjan Srivastav
768
add a comment |
up vote
0
down vote
You don't need to store token on server side.
You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.
answered Nov 10 at 19:01
Anuranjan Srivastav
768
add a comment |
up vote
0
down vote
up vote
0
down vote
You don't need to store token on server side.
You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.
answered Nov 10 at 19:01
Anuranjan Srivastav
768
You don't need to store token on server side.
You should store a private key ( any string of your choice)at server preferably as environment variable.The jsonwebtoken provided method use this private key to generate a token to pass to client.
Client has to store this token at client side so that it can pass this token to subsequent request to server in header.
Server would extract the token value from header and validate it using private key by calling a method of jsonwebtoken.If token is not modified by any means then validate will succeed.
answered Nov 10 at 19:01
Anuranjan Srivastav
768
answered Nov 10 at 19:01
Anuranjan Srivastav
768
answered Nov 10 at 19:01
Anuranjan Srivastav
768
answered Nov 10 at 19:01
Anuranjan Srivastav
768
768
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f33448044%2fwhere-are-jwt-tokens-stored-on-the-server-and-other-related-questions%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I'd really like to know where JWT tokens are stored on the server. @Cheng Did you find the answer by now?
– Andru
Jun 24 '16 at 15:50
@Andru nope....
– Cheng
Jun 25 '16 at 16:31