Abstract: Systems and methods for secure stateless client-server communication. User credentials in a client authorization request are authenticated and used to generate a JSON web token (JWT). The JWT header and signature are encrypted and included in an HTTP-only cookie. The JWT payload is encrypted and sent to the client in a response body along with the HTTP-only cookie. Each subsequent client request includes the cookie and has the encrypted JWT payload in the request header. Upon receiving the request, the server decrypts the encrypted JWT payload from the header and decrypts the encrypted JWT header and signature from the cookie, then reconstructs the JWT from the JWT header, payload and signature. The server validates the JWT and, if valid, processes the request according to authorizations in the JWT payload.

Abstract: Systems and methods for secure stateless client-server communication. User credentials in a client authorization request are authenticated and used to generate a JSON web token (JWT). The JWT header and signature are encrypted and included in an HTTP-only cookie. The JWT payload is encrypted and sent to the client in a response body along with the HTTP-only cookie. Each subsequent client request includes the cookie and has the encrypted JWT payload in the request header. Upon receiving the request, the server decrypts the encrypted JWT payload from the header and decrypts the encrypted JWT header and signature from the cookie, then reconstructs the JWT from the JWT header, payload and signature. The server validates the JWT and, if valid, processes the request according to authorizations in the JWT payload.