Kevinwochan
commented
4 years ago Solution
- Tokens should expire after inactivity to limit pool of users to hijack
- Secret key should be periodically changed to time limit brute force algorithms
Maybe use https://github.com/paragonie/paseto/blob/master/README.md
Using a JWT with a known user. A attacker could brute force the secret key to hijack active JWTs.