How to use httpOnly on the client side when using jwt for authentication?

Question

I understand how to set the cookie to be httpOnly on the server side when using express and jwt.

res.cookie("jwt", accessToken, { secure: true, httpOnly: true })

However how can we leverage the httpOnly on the client side to make the authentication process secure and prevent the cookie from being hijacked? Can you explain with an example please?

I am also trying to understand the difference between accessing a cookie when httpOnly is false and another cookie when httpOnly is true. I understand the latter will return empty string but where do we use it on the client side when using jwt for authentication. Should we just send an ajax call and not to bother about anything else?

You shouldn't need to do anything on the client with cookies, it should automatically get sent along with every request. Also consider *not* using JWT, sessions are often easier and more secure. — Evert, Nov 22 '21 at 21:37

score -1 · Answer 1 · answered Nov 30 '21 at 13:50

You should not store JWT tokens directly in the cookie, as anyone looking at the cookies in the browser can steal the cookie. The cookie should be encrypted using strong encryption if you want to store it in the cookie.

HttpOnly will block JavaScript from accessing the cookie and it is best practice to always set in all important cookies. Also you should add the secure attribute to all cookies. Also do consider setting the SameSite attribute to make it even more secure.

How to use httpOnly on the client side when using jwt for authentication?

1 Answers1