Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is Redux a secure place to store JWT tokens?

I've been teaching myself Redux, wondering how secure it is to store JWT tokens in a state of Redux.

For example, here is a reducer which is responsible for setting and resetting a token.

export default function loginReducer(state = {
    token: "",
}, action) {
switch (action.type) {
    case "SET_TOKEN":
        {
            return {
                ...state,
                token: action.data,
            }
            break;
        }
    //other cases here
    return state
}

Then, you can store a token in a following way.

    handleSubmit(values) {
        //Calling an API to get a token.
    }).then((response) => {
            response.json().then((jsonReponse) => {         
             //This is where the token is stored!
        this.props.dispatch(loginAction.setToken(jsonReponse.token));
            });
        });
    }

The main purpose of using Redux is to organise states in one place, so I thought it would be reasonable to maintain tokens there.

However, I haven't found a good information resource which explains how secure/vulnerable it is to do so.

(I found several posts as to localStorage vs Cookies. Apparently Cookies would be a secure place for storing tokens, as far as I've researched)

Any advice will be appreciated!

like image 693
Hiroki Avatar asked May 24 '17 23:05

Hiroki


People also ask

Can you store a JWT in redux?

Storing JWT TokenWe can store it as a client-side cookie or in a localStorage or sessionStorage. There are pros and cons in each option but for this app, we'll store it in sessionStorage.

Where should I store JWT token securely?

Use cookies to store JWT tokens – always secure, always httpOnly, and with the proper same site flag. This configuration will secure your client's data, it will prevent XSS and CSRF attack and also should simplify web application, because you do not have to care about using tokens manually on frontend code anymore.

Is the redux store secure?

No, there are no known vulnerabilities of using Redux. It doesn't really make sense to analyze redux this way because it's just holding javascript data in memory. It's no more or less secure than Javascript itself.


1 Answers

It doesn't really matter where you store it on the client side. If malicious code gets in through an XSS attack, nothing is really safe. If malicious code doesn't get in, nothing is really unsafe. Just don't have users sharing their stores with each other, and do the other stuff that's generally good security practice.

like image 113
Michael Pearson Avatar answered Sep 18 '22 08:09

Michael Pearson