Where should the JWT be stored? Did you find it?

[[428158]]

I have used JWT as an authentication token in my projects in recent years. I have always had a question: where should the JWT issued by the server to the browser be stored? Here we only discuss the browser scenario, in which there are three options.

Cookie

The server can send the JWT token to the browser through Cookie. When the browser requests the server interface, it will automatically carry the JWT token in the Cookie header. The server can verify the JWT token in the Cookie header to achieve identity authentication. However, it is vulnerable to CSRF attacks.

The solution is to set the SameSite attribute of the cookie to Strict. Cookies will not be sent across sites. In other words, cookies will only be sent if the URL of the current web page is consistent with the request target.

Cookies are vulnerable to CSRF attacks as well as XSS attacks. Hackers can read the information in cookies through JS scripts. To prevent this, you can set the cookie attribute to HttpOnly.

 response.setHeader( "Set-Cookie" , "jwt=jwt_value;Path=/;Domain=domainvalue;Max-Age=seconds;HttpOnly" );

You can set its lifetime by setting Max-Age.

localStorage

LocalStorage can also store JWT tokens, which is not vulnerable to CSRF. However, unlike cookies, it does not automatically carry the token in the request, and needs to be implemented through code. However, this will be vulnerable to XSS attacks. In addition, if the user does not actively clear the JWT token, it will be stored in localStorage forever.

sessionStorage

Most of the features of sessionStorage are similar to localStorage, but its life cycle is different from localStorage. It is session-level storage and will be cleared after closing the page or browser.

Summarize

You may notice that all 3 methods have the same disadvantage – “vulnerable to XSS attacks”. Please pay special attention to XSS prevention and always follow the best practices of XSS protection.

in conclusion

All three forms are vulnerable to XSS attacks, so if you have high security requirements, you need to configure them specifically. Among the three methods, Cookie provides a bunch of security options, such as SameSite, HttpOnly, etc. Therefore, it is best to use Cookie.

This article is reprinted from the WeChat public account "Coder Xiaopangge", which can be followed through the following QR code. To reprint this article, please contact the WeChat public account of Coder Xiaopangge.