13

My application has an API part and a website-part. On the website, the user can log in and gets a JWT bearer token from the API.

My question now is:

Where should I store that token?

Some say, store it in Cookie (while others say "don't, because CSRF"), some say HTML5 Web Storage, others say use Session (while other say, "don't use Sessions in ASP Net Core") and I saw an article where someone stored the auth-token in a database (??). So, what's now the correct place?

Matthias Burger
  • 5,549
  • 7
  • 49
  • 94

1 Answers1

8

MVC-web application with many controllers and a lot of views

If you have to use the token to authenticate every request to your MVC app I think the best option is store it in session cookie because, if not, the web browser are not going to send the token authomaticaly in every request and it will be a pain in the ass.

Now, to secure the cookie and requests:

  • Make session cookie (no expiring date)
  • Restrict the scope of the cookie all you can (domain and path).
  • Set Secure and HttpOnly attribures.
  • Set SameSite attribute.
  • If browser does not support SameSite use an anti-CSRF token.
  • Set restrictive X-Frame-Options.
  • Do not forget to verify the JWT signature on your server on every request.
  • Encrypt the JWT token to prevent leaking information that could lead to social engineering.
jlvaquero
  • 8,571
  • 1
  • 29
  • 45
  • That list of hints is useful and I think it's what I searched for to make my application saver for attacks. So the `anti-CSRF token` you're mentioning is the infamous 'anti-forgery-token` (Now, everything starts to make sense to me :D )? So it's okay to store the token in cookies when I'm using anti-forgery token? – Matthias Burger May 30 '17 at 12:37
  • 1
    As long as you do not screw handling the anti-forgery token; yes. – jlvaquero May 30 '17 at 20:01
  • @jlvaquero What if I want to have my frontend (empty asp.net core web project + vue.js talking to the web api backend) on a different host? – lexeme Dec 10 '18 at 11:06
  • @lexeme The cookie with the JWT will be sent to any subdomain if configured right. If you are usign a completely different domain CORS allows you to have permission to access selected resources from a server at a different origing. – jlvaquero Dec 11 '18 at 07:29
  • @jlvaquero Should be CSRF protection token be used in my case? And if it should then how to do this? – lexeme Dec 11 '18 at 07:42