Where should the JWT be stored? did you find it?

2021.10.12

I have used JWT as an authentication token for projects in recent years. I have always had a question: Where should the JWT sent by the server to the browser be stored? Here we only discuss the browser scenario. There are three options in this scenario.


I have used JWT as an authentication token for projects in recent years. I have always had a question: Where should the JWT sent by the server to the browser be stored? Here we only discuss the browser scenario. There are three options in this scenario.

 

Cookies

The server can send the JWT token to the browser through the Cookie, and the browser will automatically bring the JWT token in the Cookie header when requesting the server interface. The server can verify the JWT token in the Cookie header to achieve identity verify. But it is vulnerable to CSRF attacks.

 

The solution is to set the SameSite attribute of Cookie to Strict. Cookies will not be sent when cross-site. In other words, only if the URL of the current web page is consistent with the request target, the cookie will be carried.

 

In addition to being vulnerable to CSRF attacks, cookies are also XSS attacks. Hackers can read the information in Cookie through JS script. To prevent this, you can set the Cookie attribute to HttpOnly.

You can set its lifetime by setting Max-Age.

 

localStorage

localStorage can also store JWT tokens. This method is not susceptible to CSRF. But unlike Cookie, it does not automatically carry the token in the request, it needs to be implemented through code. But this will be attacked by XSS. In addition, if the user does not actively clear the JWT token, it will always be stored in localStorage.

 

sessionStorage

Most of the features of sessionStorage are similar to localStorage, but its life cycle is different from localStorage. It is session-level storage. It will be cleared after closing the page or browser.

 

Summarize

You may notice that all three methods have the same shortcoming-"vulnerability to XSS attacks." Please pay special attention to XSS protection and always follow the best practices of XSS protection.

 

in conclusion

All three forms are prone to XSS attacks. Therefore, if the security requirements are high, special targeted configuration is required. Among the three methods, Cookie provides a bunch of security options, such as SameSite, HttpOnly, etc. Therefore it is best to use cookies.

 

This article is reproduced from the WeChat public account "Ma Nong Pang Brother", you can follow the QR code below. To reprint this article, please contact the official account of the code farmer.