I've been teaching myself Redux, wondering how secure it is to store JWT tokens in a state of Redux.
For example, here is a reducer which is responsible for setting and resetting a token.
export default function loginReducer(state = {
token: "",
}, action) {
switch (action.type) {
case "SET_TOKEN":
{
return {
...state,
token: action.data,
}
break;
}
//other cases here
return state
}
Then, you can store a token in a following way.
handleSubmit(values) {
//Calling an API to get a token.
}).then((response) => {
response.json().then((jsonReponse) => {
//This is where the token is stored!
this.props.dispatch(loginAction.setToken(jsonReponse.token));
});
});
}
The main purpose of using Redux is to organise states in one place, so I thought it would be reasonable to maintain tokens there.
However, I haven't found a good information resource which explains how secure/vulnerable it is to do so.
(I found several posts as to localStorage vs Cookies. Apparently Cookies would be a secure place for storing tokens, as far as I've researched)
Any advice will be appreciated!
Storing JWT TokenWe can store it as a client-side cookie or in a localStorage or sessionStorage. There are pros and cons in each option but for this app, we'll store it in sessionStorage.
Use cookies to store JWT tokens – always secure, always httpOnly, and with the proper same site flag. This configuration will secure your client's data, it will prevent XSS and CSRF attack and also should simplify web application, because you do not have to care about using tokens manually on frontend code anymore.
No, there are no known vulnerabilities of using Redux. It doesn't really make sense to analyze redux this way because it's just holding javascript data in memory. It's no more or less secure than Javascript itself.
It doesn't really matter where you store it on the client side. If malicious code gets in through an XSS attack, nothing is really safe. If malicious code doesn't get in, nothing is really unsafe. Just don't have users sharing their stores with each other, and do the other stuff that's generally good security practice.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With