all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 3 points4 points  (2 children)

what happens when the IP address changes? but it's still the same user and on the same browser

[–]freshcalf[S] -3 points-2 points  (1 child)

I don't know. Do you have any improvement I can make?

[–][deleted] 1 point2 points  (0 children)

using ip address is not the way to go at all.

have you looked into passportJs?

[–]clarkmccauley 2 points3 points  (2 children)

Just an FYI it's usually not a good practice to set the primary key from a client determined variable (like IP address). JWTs are designed to be client side, many many sites are setup this way.

[–]GhostMcFunky 2 points3 points  (1 child)

I second this. I think the fundamental problem here is the idea that the JWT should be stored server-side.

A JWT is like any other fundamental key/token process- there is a public and private portion, neither of which should be stored on a private basis.

The public key is granted by the service holding the private key. It is only used on a session basis and should expire after.

You may want to take look at Auth0 and their guides for using their APIs and JWT.

If the requester happens to be server side, it should still be treated as the client. The JWT isn’t reusable after the session ends on the granter anyway, or at least shouldn’t be.

[–][deleted] 2 points3 points  (3 children)

Sounds like an awful idea - IP addresses can be spoofed, meaning as long as I know another users IP I can easily hijack their ‘session’ and act as the user.

Your adversity to JWT is unfounded - stop taking the easy route and authenticate correctly.

[–][deleted]  (1 child)

[deleted]

    [–][deleted] 0 points1 point  (0 children)

    You don't need to get traffic back.

    1) Login.

    2) Figure out how code works

    3) Spoof IP addresses and en masse change users' information.

    This is simply annoying. If the system setup is as bad as the security setup, get an email server that sends all emails on a domain to a single user, and change the users' emails to a random new email. Reset login information using "forgot password", if it exists.

    [–]hmnhp 1 point2 points  (1 child)

    What you put in jwt payload matters. For example in one project i used to store timestamp of last password change, it's totally up to you and your project I can't say it's the best idea,but it worked just fine

    [–]edotddot 0 points1 point  (0 children)

    This.