Can I securely store an OpenID Connect id_token and access_token in a cookie if it's marked as HTTP only?

Question

I am integrating a legacy application (an ASP.NET MVC 4 app) with OpenID Connect. Once I obtain the id_token and access_token from my OIDC provider I need to store them. In typical fashion they have to be sent 'over the wire' from the client side to the server side because the server side must process the id_token to determine which user made the request. The access_token is not processed by my application. It's just stored in my application until I need to make a request to an API that requires JWT Bearer authentication.

The way I see it is that the id_token and access_token are sent from client and server either way - whether it's an a header or a cookie. Can I store the id_token and access_token securely in a cookie if it's marked as HTTP only?

Edit: I should add a little more information about my scenario.

1) My application always uses HTTPS, and all cookies are marked as secure. This removes MITM (Man In The Middle) vulnerabilities

2) Every PUT, POST and DELETE request uses ASP.NET's anti forgery token classes. This protects against XSRF.

3) All input is escaped and sanitized using ASP.NET libraries which removes XSS vulnerabilities.

4) The cookie that would contain the id_token would be marked as http only, removing the ability to read and access the cookie from the client side.

Answer 1

You should probably not store the tokens in cookies. Ideally the access token would be stored in memory on the client. This way they aren't sent automatically with requests to the server which is why there are risks involved with cookies. Anywhere else could open you up to potential vulnerabilities.

The RFC 6819 specification, titled "OAuth 2.0 Threat Model and Security Considerations" touches on the risks and vulnerabilities around OAuth tokens. Specifically, I would recommend reading the following sections:

• 4.1.3. Threat: Obtaining Access Tokens
• 4.4.2.2. Threat: Access Token Leak in Browser History
• 5.1.6. Access Tokens

In applications I have written the tokens have been stored in local storage and in memory.

I'd recommend reading through the OAuth 2.0 specification so you know the risks involved when using OAuth 2.0.

Answer 2

Please don't count on that, HttpOnly is a flag that tells the browser that this cookie should not be accessed by client side scripts and it is true only if the browser supports it. You can find more info here: https://www.owasp.org/index.php/HttpOnly Also I suggest to dive a little in the OWASP web site as they have documents regarding best practices for problems like the one you listed.

You can see if your browsers support HttpOnly here: https://caniuse.com/?search=httponly

As of 2021, 95% of browsers support it.