Multiple user use same token. How to avoid it?

dwyl / learn-json-web-tokens

:closed_lock_with_key: Learn how to use JSON Web Token (JWT) to secure your next Web App! (Tutorial/Example with Tests!!)

MIT License

4.18k stars 253 forks source link

Multiple user use same token. How to avoid it? #75

Open ssboopathi1991 opened 6 years ago

ssboopathi1991 commented 6 years ago

I am new for JWT. I have created a token for one user. But other users can also use the same token, it's not validating. So how to create token based on the user?

$user_data = "user details";//EG: my id => 23
$token = JWTAuth::fromUser($user_data);

And also I have checked the token using the following line

$check_auth = JWTAuth::toUser($token);

JosephmBassey commented 4 years ago

It's impossible for multiple users to have same token, at least to my understanding; a valid JSON Web Tokens consist of three parts separated by dots (.), which are:

Header: The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA
Payload: The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) for example username, _id, email etc.
Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that

you can read more on Introduction to JSON Web Tokens