What protects a JWT from being hijacked and used to pose as the original user?

JWT are only an encapsulation of information into a string with the ability to encrypt these information and detect tampering. JWT by themselves don't protect against cookie theft or misuse done with sniffing, XSS, CSRF, browser extensions or similar.

This means you still need to employ the usual methods to protect the token or cookie against misuse, i.e. use http-only cookies to protect against XSS, use TLS to protect against sniffing, use CSRF tokens or other techniques to protect against CSRF etc. And you might include some information in the protected token which make misuse harder, like a fingerprint of the browser, source IP of the user etc - see OWASP: Binding the Session ID to Other User Properties. Of course you need to verify these information each time the cookie is used for authorization.


There is a considerable risk posed by an attacker sniffing network traffic and stealing session cookies to impersonate other users. However JWTs were not designed to address this risk. You have SSL/HTTPS to take care of that problem. An SSL connection between your browser and web server provides confidentiality and data security in transit. If you are using JWTs over an HTTP connection, there is not much you can do to prevent the attacker from sniffing your traffic and misusing the token.

JWT are self sufficient tokens which are used to share authentication information between different systems. They solve the problem of relying on third parties for validating an authentication token as all the information required to validate the JWT is contained within the token itself. This simplifies the process of on-boarding in a single sign-on system as there is minimal integration required. JWT are also HTTP friendly as they are just BASE-64 strings.

JWTs have had their share of security issues in the past. read more .

P.S. you still need to rely on third parties to get the right public keys for token validation.