Secure user token between SPA HTML5 app and web service?

Question

Sorry if this has been asked a few times, but can't quite find out a solid response.

I want to secure the login procedure and session (kind of) between an HTML5 app and a PHP web service. I present the user with a login screen that uses HTTPS with the server, and then give the client a random GUID that is stored in a database with their time of login and last request time, and their actual user ID that I store for their row on a users table. So the GUID might be different every time but the user ID it maps to on login can only be seen server side.

I'm vary weary when it comes to authentication and never really dealt with a HTML5/JS app against a web service like this. I've usually developed ASP .NET sites and used sessions.

I've recently discovered JWT tokens which encrypts data stores in the token string that is contained on the client and passed to/from the server. Is this safer than what I'm doing? Should I be using JWT as opposed to this GUID mapping I have now?

What I'm aiming for is a session-less request to a web farm which could put you on to any specific web server, and the request is validated to see if that request has came from a valid logged in user.

Any advice would be welcome :).

Thanks.

Answer 1

Using a JWT token is totally safe provided you don't encode sensitive data in the token because the token can be decoded without the secret.

What you can do is to have two key pairs (private/public) RSA keys. Private for encoding the token and sending it to the client on login success

the client saves the token to maybe a cookie, HTML5 localstorage etc, on every request, the client passes the token via the request header back to the web server, then the web server verifies the token with the public key. whilst decoding the token and getting the GUID from the token and can then proceed with the request.

This workflow can work across several server side languages as there are many JWT libraries for them.