Versions Compared

Old Version 4

changes.mady.by.user Aiyan Jiang

Saved on

compared with

New Version 5

changes.mady.by.user Aiyan Jiang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagejson
{
  "sub": "<username>",
  "role": "<user_role">,
  "context": "<hashed_cookie_context">,
  "iat": "<issue_date">,
  "exp": "<expiration_date">
}

Variable

Description

<username>

The username of the authorized user.

<user_role>

The role of the user.

<hashed_cookie_context>

The hashed context of the session. This will be compared to a sent cookie.

See the “Potential Vulnerabilities” section for more details.

<issue_date>

(Built-in to JWT) The date the token was issued.

Note that the date is the number of seconds since Jan 1 1970. This is the equivalent of Javascript Date.now() * 1000.

<expiration_date>

The date the token expires.

Token Attainment

The method by which the token will be securely obtained by the Safe Places web app.

...

An attacker may steal the token from the authorized user and use it for nefarious purposes. To mitigate this attack, we will employ token contextualization.

  1. We generate a random string during the authentication phase and send it to the client as a cookie.

    1. The cookie must have the flags HttpOnly, Secure, and SameSite.

  2. We store a SHA256 hash of the random string in the token as context.

During token validation, we hash compare the token context in the token and compare it with the sent cookie. If they are different, then reject the request.

...