7
In many tutorials (mostly Single Page Applications), the most common authentication method is JWT token.
The problem is that most of them recommend persisting this token in the localStorage browser. Practice that many claim to be insecure.
It makes me question:
localStorage is considered unsafe?localStorage is unsafe, what is the best way to store these tokens?4
Browser localStorage (or session storage) is not secure. Any stored data may be vulnerable to scripts between sites. If an attacker steals a token, he can access and request your API.
If the application has a backend server, the tokens must be manipulated on the server side using the Web application login flow( for example: in a backend service done at Nodejs, token validation is done through a middleware that protects a route if the token is invalid ).
Alternative: cookies. You can also use cookies to store JWT. The exact way to set a cookie depends on the language you are using.
There are different options to control the lifespan of a cookie:
Cookies can be destroyed after the browser is closed (session cookies).
Implement a server-side check (usually done by you through the Web language structure in use) and you can implement window expiration or expiration (browser closed).
Cookies can be persistent (not destroyed after the browser is closed) with an expiration date.
Cookies can be read by the server-side code and Javascript or only by the server-side if the flag httpOnly is defined.
You can set the flag secure = true so that cookies can only be set on an encrypted connection.
Disadvantages of cookies:
The maximum size of a cookie is only 4kb, which can be problematic if you have many statements attached to the token.
Cookies may be vulnerable to attacks of cross-site request falsification (CSRF or XSRF). The use of CSRF protection from a web application framework makes cookies a safe option to store a JWT.
CSRF can also be partially prevented by checking the header HTTP Referer and Origin. You can also set the restricted cookie flag SameSite = Strict(learn more), where with this policy, cookies cannot be sent to third party websites, which helps prevent CSRF attacks.
It can be difficult to implement if the application requires cross-domain access. Cookies have additional properties (Domain / Path) that can be modified to allow you to specify where the cookie can be sent.
Client-side Authentication the Right Way (Cookies vs. Local Storage) . This article shows the differences between using Cookies and Localstorage to save sensitive data and how to store Jwts in a Nodejs application.
0
Keeping JWT in localstorage is common, it’s good to just keep an eye out for the content that is saved in the token. Normally we save the object of the logged client, but it is good to be aware with the sensitive data of it, they do not need to be present in JWT, also validate always on the server side to identify that JWT is still valid.
-2
It is usually stored on the localstorage itself. It is insecure only if someone sees the token on your machine when you log in to the application.
Browser other questions tagged javascript jwt single-page-application
You are not signed in. Login or sign up in order to post.