is Jwt token was UNIQUE

Question

I'm using JWT web token system. I was able to generate TOKENS successfully. I'm creating JWT tokens in Laravel as follows

I'M USING FOLLOWING TECHNOLOGY STACK

LARAVEL 5.2 framework
JWT (package)

SAMPLE CODE

use JWTAuth;
use Tymon\JWTAuth\Exceptions\JWTException;

class AuthenticateController extends Controller
{
    public function authenticate(Request $request)
    {
        // grab credentials from the request
        $credentials = $request->only('email', 'password');

        try {
            // attempt to verify the credentials and create a token for the user
            if (! $token = JWTAuth::attempt($credentials)) {
                return response()->json(['error' => 'invalid_credentials'], 401);
            }
        } catch (JWTException $e) {
            // something went wrong whilst attempting to encode the token
            return response()->json(['error' => 'could_not_create_token'], 500);
        }

        // all good so return the token
        return response()->json(compact('token'));
    }
}

SAMPLE OUTPUT

I'm GETTING

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

QUESTION 1

Is the generated token is UNIQUE?

score 6 · Accepted Answer · answered Apr 14 '16 at 06:15

6

JWT is unique in a way that no two same users can have the same token generated for them

answered Apr 14 '16 at 06:15

Norgul

4,613
13
61
144

How JWT token was unique i.e., on what parameters token was UNIQUE (whether its due to HEADER or PAYLOAD or SIGNATURE)? – Lakshmaji Apr 14 '16 at 06:20
Header payload and signature together make a token. You have no real security issue if someone finds one part of the whole token. But header is the same, the other two change. Check the [link](https://jwt.io/) and try to change values and see what happens – Norgul Apr 14 '16 at 06:31
How can I make user token is valid for a period between successful login and logout ? – Lakshmaji Apr 14 '16 at 06:37
I think you shuld have a `remember_token` field in Laravel User model by default. Once you create the token, you can store it in that field, and upon logout you simply delete it. After next login, user will get another token generated, and so you repeat the process – Norgul Apr 14 '16 at 06:55
That makes sense , But how can i set Jwt Token to be expired or destroyed after succesfull logout only? not before successful logout – Lakshmaji Apr 14 '16 at 06:58
It should be done so after you call the `logout()` method/route. If you're using Laravel 5 and `php artisan make:auth`, you should find the `logout()` method in AuthenticatesUsers trait. If you're using PHPStorm IDE, you can do double-shift and type logout...or getLogout – Norgul Apr 14 '16 at 07:10
I'm asking how to set JWT token to be destroyed – Lakshmaji Apr 14 '16 at 07:15
Find the authenticated user, and set his token field property to null – Norgul Apr 14 '16 at 07:39
Yes I found a way to destroy accesss token by using **JWTAuth::setToken($token)->invalidate();**, – Lakshmaji Apr 14 '16 at 09:10
Thank you I have got perfect solution to above problem. – Lakshmaji Apr 14 '16 at 09:11
Just found out that the `remember_token` can't actually be used like that...it is used for prevention of cookie hijacking...but you got it :) – Norgul Apr 14 '16 at 14:40
Yes, I know that , In Laravel remeber toke field is used to store XSRF (Cross-Site Request Forgery (CSRF)). – Lakshmaji Apr 15 '16 at 04:57
Currently I'm storing JWT token in Mysql DB with VARCHAR data type of size 255 (maximum size). Is it sufficient to store JWT.i.e, VARCHAR(255) – Lakshmaji Apr 15 '16 at 05:16

score 4 · Answer 2 · answered Apr 14 '16 at 06:08

In general, JWT is actually replacing the combination of username and password. What it means, instead of keep sending username and password for each request for a restricted resources, the server will return a unique token after verifying the the credentials is correct on the first time the user login. Afterwards, every request will includes the token which will be checked as valid or not before fulfilling the request.

So, if two user comes in and login with two valid credentials, it will receive two different token from the server.

is Jwt token was UNIQUE

2 Answers2

Linked