0

I am creating my 1st django-react application, but i got stuck on the login process.

Currently i am using simplejwt, while i can keep the access token inside react state, the refresh token has to be stored somewhere, which will leave the refresh token open for XSS.

I might not understand how JWT is supposed to be working, but if it is encrypting user info with secret key from the backend, then why not make it so that it encrypts the IP of the user too.

So that if the refresh token is stolen, we can check the encrypted IP inside the refresh token against the IP from the request, if they match: good, else: reject.

Sure that means if the user changes the IP using a VPN for example that will make him have to login again, but that is rare, and it's just re-login.

Improve this question
4
  • JWT does not inherently protect against XSS. The protection you are talking about (perhaps) is a side effect of the mechanism used to store/send the token when needed. Commented Apr 8 at 17:49
  • On the other hand, the client's IP address remains unchanged during XSS, so tracking it also does not help protect against XSS (it can be used to protect against session hijacking) Commented Apr 8 at 17:51
  • Please provide enough code so others can better understand or reproduce the problem. Commented Apr 9 at 14:10
  • JWTs aren’t protected from XSS by default. To keep your refresh token safe, you should store it in an HttpOnly cookie, not in localStorage or React state. This way, it’s not accessible to JavaScript, so even if XSS happens, the token can’t be stolen. As for tying the JWT to the user's IP—while that might block stolen tokens, it causes problems when users switch networks or use VPNs, which is common. It's better to use secure cookies and follow best practices to prevent XSS in the first place. Commented Apr 9 at 18:28
Related questions
340
JWT refresh token flow
635
What are the main differences between JWT and OAuth authentication?
180
Single sign-on flow using JWT for cross domain authentication
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.