In Express, for "remember me" authentication, I create a JWT token with user_id. The encrypted version (based on a secret) of the token gets saved to a cookie on the client. If no session exists, we look for the cookie. If found, to check for authentication, the server decrypts the JWT token from the cookie, and we create a new session based on the id in the token.
My question: Wouldn't this mean that if someone would copy-paste the cookie to their computer, they would be able to pretend to be me? What am I doing wrong security-wise and is there a better way to implement "remember me"?
via Nick
No comments:
Post a Comment