23

I have a rest api for generating token, which i'm using in angular 4 client side, but the question is where to store this token.

In the internet i found that i can store in local storage or in the cookie.

So my question is, if store token is the local storage for example, and i have just copied the valid token from another browser, then i will have a valid token, so there is any security of storing token like that, and basically the same with cookies, or maybe i missed some important information?

Surreal
  • 1,007
  • 1
  • 13
  • 29
user2870934
  • 679
  • 1
  • 7
  • 22
  • Possible duplicate of [Angular2 cookies instead of localstorage](https://stackoverflow.com/questions/33495635/angular2-cookies-instead-of-localstorage) – Surreal Sep 19 '17 at 13:37
  • 4
    It's not a duplicate, since here security is involved, which is not the case on the other post. – Alex Beugnet Sep 19 '17 at 13:46

2 Answers2

16

Here is a complete article about Tokens / Cookies that can give you a lot of knowledge about this subject : auth0 : Cookies VS Tokens

I'll quote the most important parts to make you understand what's coming next :

Two of the most common attack vectors facing websites are Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF or CSRF).

Cross Site Scripting) attacks occur when an outside entity is able to execute code within your website or app.

Cross Site Request Forgery attacks are not an issue if you are using JWT with local storage. On the other hand, if your use case requires you to store the JWT in a cookie, you will need to protect against XSRF.

Our CTO has argued in the past that XSS attacks are much easier to deal with compared to XSRF attacks because they are generally better understood.

So basically to sum up :

Hence, I'd recommend a standard JWT Token approach to manage your token. Since your token is signed with the JWT format, this is the safest solution in my opinion. Of course, a standard token would need to be either encrypted or signed (not the same) to be really secure.

Really easy to set up and manages with appropriate libraries (such as https://github.com/auth0/angular2-jwt)

To go further : I imagine your token would be used for authentication, and be aware that people have already worked with that and know what is good / bad practice using them.

You should take a look at how authentications are managed from working websites (such as Twitter / Facebook, etc...) where they use Refresh Tokens. Here are some additionnal links that could interest you :

EDIT : Additionnal links about best practices with JWT :

Community
  • 1
  • 1
Alex Beugnet
  • 4,003
  • 4
  • 23
  • 40
  • 1
    Thank you for the reply, i'm using jwt tokens, but how it's better? I just put this token into a header, and this token is decrypts in server side, but any ather who has this token, can just copy paste it to his browser, and use it as well, or i'm missing something? – user2870934 Sep 19 '17 at 14:37
  • 2
    Basically, since angular protects your from XSS attacks, no one should be able to get the JWT from the localStorage. And even if someone managed to get one token, the idea of using `short-lived` token (with the principle of refresh token to get new short-lived access tokens) will make the stored token outdated and invalid very fast. I'll edit the post and add more links that explain that in depth. – Alex Beugnet Sep 19 '17 at 15:00
1

Its more about how you are going to validate it than how you are storing token, what security majors you have taken to validate the same on the server side.

You need to make sure that request is coming from valid client and not from malicious source, if you have CORS enabled API.

If you are using Token to store confedential info, you need to encrypt it before storing.

Madhu Ranjan
  • 17,334
  • 7
  • 60
  • 69
  • Makes sense, thanks. One point to remember is that front end applications can never be trusted. Assume a malicious user is bearing the token when dealing with requests to your api, and restrict data only necessary for that identity – Nick Gallimore Jun 19 '19 at 17:18