i've been reading , trying comprehend differences in browser side security. gather, ssl used keep people sniffing traffic send server. allows send password server in clear text...right? long in ssl encrypted session don't have worry hashing password first or weird, send straight server along username. after user authenticates send them jwt , future requests server should include jwt assuming trying access secured area. allows server not have check password, server verify signature , that's server cares about. long signature verified give client whatever info requesting. have missed something?
you correct. "this allows server not have check password." why have check password on each request?
a jwt means of verifying authentication. generated upon successful authentication request , hence forth passed each request let server know user authenticated.
it can used store arbitrary values such user_id or api_key not secure don't store valuable information here.
be wary though, if plain jwt intercepted third party, can assume user's session , possible data.
ssl lower level form of security, encrypting every request , server prevent interception , retains integrity. ssl achieved (purchasing) ssl certificate , installing on server. ssl certificate small data file binds cryptographic key 'organisation'. once installed succesfully, https requests (on port 443 default) possible.
Comments
Post a Comment