-1

I am using the JWT token for authentication and authorization.After Login I want to store the value of token in frontend (React js) so that we can send the token on server for validating the different routes in node js according to the different api call from different components in React js. I am creating the app in React js .I do not want to store in Local storage or in cookie due to security concern.Tell me the better way to store.

Sharad kumar
  • 187
  • 2
  • 14

1 Answers1

0

The security concerns that you have will apply in any case where you need to persist the token.

The recommended way is to use a httpOnly cookie, this cookie can't be accessed from javascript and you don't need to worry about sending the token in each request, this cookie is the current "safe" option for maintaining session in a web application.

In the other hand, you can still use JWT in localStorage, but yes, in the case of a XSS attack that can be stolen, but let's talks about security, if someone can inject JS code, they still can do everything with that session, the only difference in the case of httpOnly cookie, is that he can't save the credentials for later use or to use it from another computer (sure, it makes everything harder for the hacker, but you still can do everything).

JWT is needed in the case where you are using federated authentication, and even that, if the JWT is stolen, is because a third party already has access to the JS runtime, so the important thing is not "getting the token stolen", is not allowing external code to be run in your app.

Sebastián Espinosa
  • 2,123
  • 13
  • 23
  • How can we store the token in Http cookie?Can you elaborate or can you provide me some implementation details. Actually I am sending JWT in header for authenticate routes. – Sharad kumar Apr 22 '20 at 02:41
  • If you use a cookie, you don't use a token, because there's no way to read the cookie if it is httpOnly, the cookie get's drop to your browser and every time you make a request to the backend, the request will automatically pass the cookie to the server. Also, if you use a JWT, it's fine too, is a little less secure but is not relevant to be honest, just make sure that the requests are being made by https. If someone is able to steal the JWT, that's the threat, doesn't matter if you uses cookies at that point. – Sebastián Espinosa Apr 23 '20 at 06:26