Y
Hacker News
new
|
ask
|
show
|
jobs
by
ynniv
2733 days ago
You can sign session ids to prevent DoS, and you can cache session ids to avoid database lookups, but you can't detect forged or stolen JWT tokens.
1 comments
nmgsd
2731 days ago
You can't forge a JWT without stealing the private key of the valid JWT signer.
You can steal a JWT token the same way you can steal a session token.
link
You can steal a JWT token the same way you can steal a session token.