Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it a good practice to store JWT Tokens in memory

Tags:

asp.net-core

jwt-auth

I wrote an asp.net core 3.0 web api where I am using JWT tokens to authenticate a user. Once the user gets token, he/she can use it until it expires.

What I have done is that I have also stored this token in-memory on authentication, to get other minimal details e.g. username, token generated at and "token".

  1. My first question is that is it a good practice? since tokens are stateless and therefore saves server side from the hassle of maintaining it.

  2. My second question is that if it is acceptable to do so, then how do I remove this token information from in-memory once a token expires.

  3. If I am not storing this token in memory, how to extract information like "get a list of all logged-in users".

like image 851
Samra Avatar asked Feb 12 '20 03:02

Samra

People also ask

Is it safe to store JWT in memory?

The safest place: Browser's Memory Browser's memory like states is definitely the safest place to save. However, the application couldn't persist the JWT if the user refresh the browser. So we still have to consider to store JWT to the cookie or the localStorage.

Should JWT tokens be stored?

A JWT needs to be stored in a safe place inside the user's browser. If you store it inside localStorage, it's accessible by any script inside your page. This is as bad as it sounds; an XSS attack could give an external attacker access to the token.

Should I store JWT in local storage or cookie?

So based on the above premise - it will be best if we store JWT in Cookies. On every request to server, the JWT will be read from Cookies and added in the Authorization header using Bearer scheme. The server can then verify the JWT in the request header (as opposed to reading it from the cookies).

Where is the best place to store JWT token react?

Storing JWT Token We need to store this token somewhere. We can store it as a client-side cookie or in a localStorage or sessionStorage. There are pros and cons in each option but for this app, we'll store it in sessionStorage.

2 Answers

  1. Yes, it is a good practice to cache the JWT in memory cache like Redis or simple in-memory cache. The newly created tokens are cached in memory with cache eviction time same as token expiration time.
  2. When a request comes in to validate token, its first checked whether it exists in memory cache, if not will be looked in to persistent storage like db.
  3. When the user invalidates token(ie logged out), it should be removed from cache and update the state to invalidated in db.

In a distributed application, its a challenge to maintain the state. For this reason, its better to have separate caching layer backed by redis. In this way, we can maintain the application stateless.

In addition to token expiration time, you may want to add additional check for validation, depends on the content of JWT like (aud claim, signature verification etc). To retrospect the content of JWT token , you can use tools like below

https://devtoolzone.com/decoder/jwt

Cheers, Lakshmanan

like image 185
Lakshmanan Avatar answered Oct 09 '22 20:10

Lakshmanan

When you say "in memory", does that mean locally on the client machine or somewhere in the server? I'm going to assume you mean client-side for their use.

I'm currently using JWT myself, so here are my recommendations:

1) Save the tokens in session storage. 2) Just empty the session (or wherever you're storing it). 3) You'll definitely need to store it somewhere if you want to access it. But getting a list of all users sounds like you want the data on the back-end. You can keep track of that on a back-end server, but usually these tokens are handled and persisted into databases. But even on a back-end server, you can just have a array of Client objects to track which ones are logged in (i.e. which ones have unexpired tokens).

The typical practice involves generating two tokens (auth token and refresh token) and then checking them against a database when the user submits a token for authentication.

like image 40
Arc Avatar answered Oct 09 '22 21:10

Arc
Sign in to Comment

Related questions

Using SignalR Core to send messages from a Controller Method to Angular
The certificate chain was issued by an authority that is not trusted
Razor templates: Cannot find compilation library location for package
How to register custom UserManager, etc in DI - ASP.NET Core 2.1
How to read headers data in hub SignalR ASP.NET Core 2.1
Mocking a TempData in ASP.NET Core in MSTest
Return inserted item's UUID back from Dapper/PostgreSQL
Abstract away async calls to IMemoryCache in API
return tuple result in async method .net core
Append test project appSettings to ASP.NET Core integration tests
TimeoutException: Asp.net Core 2.2 with react , requests timeout period of 50 seconds
Swagger run locally but not on IIS, not resolving base path
How to overwrite a scoped service with a decorated implementation?
Getting HTTP ERROR 400 when form gets posted
How do I add a custom claim to authentication cookie generated by OpenIdConnect middleware in ASP.Net Core after authentication?
Ignore SSL connection errors via IHttpClientFactory
Image upload in .NET Core Web API
Get current User outside of Controller
No 'Access-Control-Allow-Origin' header is present on the requested resource when 401 response is returned from the server
Deploying ASP.NET Core Docker image from x86 to ARM (Raspberry Pi) in VS2019

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!