I've been thinking about the security risks associated with JWTs, particularly the concern of someone stealing your cookies and logging in as you. What if browsers implemented a unique ID system to be sent along with these tokens? This ID would function as an extra layer of security, kind of like two-factor authentication. It would be reset with incognito mode, but when using a standard browser profile, it could help keep sessions secure. I believe this could be standardized so that if the ID doesn't meet certain criteria, it's ignored. My concern with using IP addresses for authentication is that they change frequently, especially on mobile devices. A unique browser ID could help prevent unexpected logouts. If this concept has merits, I'd love to hear any counterarguments or thoughts on potential issues since I know I can't be the first to think of it. What do you all think?
9 Answers
I see where you’re coming from, but if someone manages to steal your JWT, can’t they just grab your unique browser ID too? It might not necessarily add much extra security and could end up making things more complicated.
Interesting idea, but where would that ID even be stored? Would it just be another cookie?
This feels like introducing a perfect browser fingerprint, which advertisers and trackers would love without considering the privacy implications. Plus, if someone can steal your cookies, they probably have bigger security issues to worry about than just this ID.
People generally use their own devices for important logins, so it might just come down to user convenience. Most won’t log in on a stranger's device unless necessary, but they should always sign out afterward to remove the cookies.
A browser JWT should be short-lived anyway, so if it does get compromised, the damage is limited since they expire and refresh often. Just hope you're not logged out every time!
But wouldn’t that cause you to log out a lot?
Consider this: anyone can make requests to a server without using a browser—think CURL or command line scripts. If someone can steal your JWT, they can easily capture this ID you're suggesting too, which doesn't really improve security.
If an attacker can swipe your cookies, I don't see much added value in this new ID. Plus, what’s stopping them from grabbing that ID too?
You might be thinking of refresh tokens here. If compromised, the security concerns are still pretty much the same since you're just adding more to the mix, not really enhancing security.
You might be onto something with this concept! There’s actually something similar called Proof of Possession (DPoP) as per RFC9449, which utilizes a private/public key setup to enhance security and includes a key in the JWT itself. It's got potential!
Glad to hear I’m not alone in thinking about this! I know my idea was too simplistic, but such insights really help me expand my understanding.
That kind of makes sense—if the token's tied to a specific user agent, using another one could create issues since the bad actor would likely be using a different setup.