java - jwt token security issues.

Question

Systems A and B are separated from the front and back ends.
(Two systemsCross-domain)
Now a page in system A jumps to system B.
Now I use it to jump to system B. There is an encrypted token (including user ID) in the address bar to help it log in automatically.
The product information and discounts for this user displayed on this page.

过去多啦不再A梦 · Answer

Encrypt https, the HTTP protocol itself is not safe, it is plain text.
These guys are right, I am wrong

曾经蜡笔没有小新 · Answer

The simplest method is also a safer method. When station b helps him log in, the box will pop up again. Let him confirm his password!
There is a token called csrf or. random number method. It's worth having. The csrf token limits such cross-domain attacks
The JWT verification token must be placed in the header. You may consider authorization authentication

高洛峰 · Answer

First of all, the emergence of token is to solve the problem of user verification. Since there are two systems, automatic login should be avoided. This is very unsafe.
But since you have such a need, you can only avoid it as much as possible. Here is a solution: try to avoid sensitive information in the token. Secondly, when authorizing cross-system tokens, set the authorization of this token to one-time and compress the validity of the token. The time is such that the token is only valid for 30 minutes. In fact, you can refer to the fact that many third-party logins such as Weibo and other authorized tokens only contain a small amount of information such as nicknames and avatars.