International Journal of Engineering and Advanced Technology (IJEAT) ISSN: 2249-8958 (Online), Volume-10 Issue-1, October 2020 Security Implications for Json web Token Used in MERN Stack for Developing E-Commerce Web Application Pooja Mahindrakar, Uma Pujeri Abstract: In almost every organization where user sensitive was an emergence of Web applications. These web data is available, security and privacy of the data plays a vital role. applications usually do not allow client to directly connect to As storage of these information is overhead in database, Tokens the database as there may be many security concerns. Thus are generated which handles sessions and also self contains user there usually is a middle-ware hearing from the client and details. One of such widely used stateless token is Json Web getting information from the database. Consider huge data Token. This paper deals with the research that follows implementation of authentication and authorization technique websites like amazon,flipkart, Alibaba etc where using JSON web token which will make web service a role based huge customer interactions are involved per second, in such one .In the project under taken, Json web token is generated in a websites securing each transactions is again a major concern more secured way by choosing the secret key for web token wisely. in web security. As huge financial transactions are involved, Usually key for the token was a mere string or the set of keys attackers attraction over these websites is an obvious thing. stored in a key ring in the database and used alternately for the Thus securing the play a crucial role in web security. Now let users to create the token. Or one more trial model is created where captcha was used in short a random number was generated and us look into deeper what kind of security involved in such used as secret key for token generation but the main issue was scenarios. Security includes authentication, authorization, increased storage. Thus storage is tried to reduce also less data privacy, data integrity, data confidentiality. All these predictive secret key is generated in this project. things involve privacy, validation and storage of client’s Keywords: Token, Authentication, JWT, Security, Privacy, sensitive data. Two major concerns of security are Sessions, Encryption. authentication and authorization. What is authentication and authorization and difference between them is a main task to be I. INTRODUCTION done before diving details into the web security and data privacy. When a person initially sign ups and logins he enters In the coming years, technology has evolved immensely. all his essential information like email, password etc in order As the world is becoming more and more digitally active, to login. At the back-end these information are gathered and there is great need of Internet. And this digital world is validated as to this is the same person who has signed up. evolving drastically, internet is playing a vital role. As a result Once this validation is done, we say authentication is online websites are increasing more and more ranging from complete and now the person is eligible to login to the website shopping cart, e-commerce to many educational sites. in short now hw has right to enter into the website and get web Whatever the website is, security plays a main role in site information from the database. Now comes the main task maintaining any website. Security of a website has many as to what part of database or how much of the data access features either it may include security against stealing the should that person be allowed to access. Deciding how much, customers information, hijacking the session, protecting the what data and which data part of the database can a person database, secure login, secure sign up, token generation , access is called authorization. Main part to note is that token expiry, token key storage etc. In old days when internet authorization is done only after authentication. No was just introduced, many web-sites were launched which had authorization without authentication because only if the static data and not dynamic changing data. Thus storage and person is validated, we can think of assigning right to retrieval was bit easier compared to the ones with changing restricted part of database. In order to liable the authorization data. AS the dynamic data started increasing, there was a need to any person visiting the website, we have to first assign a for more developed website like application where data which ticket to a person after authentication denoting that the person is rapidly changing could be handled efficiently. Thus there is already authentication now he can get authorization. These tickets are issued by the server at the back-end. these tickets should be carried by every user every time they want to access Revised Manuscript Received on September 15, 2020. the database. This ticket was once called ”token”. At the very * Correspondence Author beginning, token very popular were the session token. So Pooja Mahindrakar*, M.Tech, MIT World Peace University, Pune (Maharashtra), India. what is meant by session is the thought. Session is that Dr. Uma R Pujeri, Associate Professor, MIT College of Engineering, duration of time the user stays after logging into the website Pune (Maharashtra), India. until he leaves off the website. Based on this name session © The Authors. Published by Blue Eyes Intelligence Engineering and token were created. Sciences Publication (BEIESP). This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/) Retrieval Number: 100.1/ijeat.A16631010120 Published By: DOI:10.35940/ijeat.A1663.1010120 Blue Eyes Intelligence Engineering Journal Website: www.ijeat.org and Sciences Publication 39 © Copyright: All rights reserved. Security Implications for Json web Token Used in MERN Stack for Developing E-Commerce Web Application These tokens are valid only during the session is active. 1) Signature: Signature: This is created by joining header Once the session is over the session token expires. Every time and en-coding them using base64 algorithm, later it uses the session is started, the session tokens are created. But a HMAC-256 algorithm to encrypt the data. major drawback is that if a user who already visited our The pseudo-code of the token creating the signature is as website, his details are not stored in the token each time follow: authentication must be done and to do so, database should be HMACSHA256(base64Url, Encode(header) accessed each time so the database hit must occur which is a + "." +base64Url, Encode(payload), major overhead.In order to avoid this overhead a different set ) secret base64 encoded of tokens are developed which itself stores all the user C. Authorization Bearer information required for authentication and authorization. An arbitrary string is called bearer token which can be used Which means they are self contained token and no need to go for getting permissions . A bearer token can be JWT token to database and fetch customer data just to authenticate and which can be used for authorization. A Bearer token is only an authorize. Instead the self contained token having information arbitrary string, used for permission. Bearer token can be jwt such as username password expiry date or time of the token when jwt is used for authorization. etc should be attached with the each database request raised Eg: eyJhbGvbdi9fcbjderu7crbeufy9Rt709u9. by the user, Thus authorization which is done during every ey3ORT4tfvbR843Rfh6t8Tgbj578EnjyTnhyufu. click of the user, can be made easy and the database access SftykmR843Rfh6t8bhj3DY4ugbmgjhvhy46t87FD overhead can be reduced. One of such self contained tokens are the JSON web token commonly called JWT.Json web III. TYPES OF SIGNATURES: tokens are called lightweight tokens as the time taken to parse Symmetric Signature : Symmetric signatures are the ones these is very less as they are self contained. Json web tokens which rely on same secret key for verifying and gen-erating ease the task of authentica-tion, authorization and security of signatures using an HMAC function . Symmetric signatures the website. The statements of JWTs are stored in Json format are setup friendly and mostly used within a single application as Json entities and each of these Json entity is used as the Asymmetric Signature Asymmetric signatures depend on a payload or plain-text for Josn web encryption or payload for key pair for signing and verification. The public key is Json web signatures which helps us make the digital signature publicly available and is used for verification and private key to claim that the person is the same one as he calims to be. is kept secret and used for signing. Asymmetric signatures are Json web token is never encrypted it is only encoded. As useful in distributed scenarios. discussed above, JWT are stateless Header + Payload (Self-contained),short-lived Tokens . Initially, token was only Header + Payload + signature a string, E.g 2pWS6RQZpE0T4I0pOX. Now a days it is a big one with encoded in Base64 (UTF-8) format. The burden of the database are reduced by using these light weight tokens. II. JWT STRUCTURE[1] Json Web Token is divided into three parts, each one separated by full stop. Following discussion states the same. A. Header Header: This contains information about various JWT PSEUDOCODE algorithms used to create signature. Here we consider an example where JWT uses HMAC256 algorithm. The JSON Token is always encoded with base64 algorithm The header format of JSON is as follows: Step 1: Encoding the token type(JWT) and algorithm used for { JWT generation (here HMAC SHA 256) with base64encode. "alg": "HS256", Forms first part of the token. "typ": "JWT" Step 2: Encoding the payload details with base64encode.