Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is Redux a secure place to store JWT tokens?

Tags:

html

cookies

redux

I've been teaching myself Redux, wondering how secure it is to store JWT tokens in a state of Redux.

For example, here is a reducer which is responsible for setting and resetting a token.

export default function loginReducer(state = {
    token: "",
}, action) {
switch (action.type) {
    case "SET_TOKEN":
        {
            return {
                ...state,
                token: action.data,
            }
            break;
        }
    //other cases here
    return state
}

Then, you can store a token in a following way.

    handleSubmit(values) {
        //Calling an API to get a token.
    }).then((response) => {
            response.json().then((jsonReponse) => {         
             //This is where the token is stored!
        this.props.dispatch(loginAction.setToken(jsonReponse.token));
            });
        });
    }

The main purpose of using Redux is to organise states in one place, so I thought it would be reasonable to maintain tokens there.

However, I haven't found a good information resource which explains how secure/vulnerable it is to do so.

(I found several posts as to localStorage vs Cookies. Apparently Cookies would be a secure place for storing tokens, as far as I've researched)

Any advice will be appreciated!

like image 693
Hiroki Avatar asked May 24 '17 23:05

Hiroki

People also ask

Can you store a JWT in redux?

Storing JWT TokenWe can store it as a client-side cookie or in a localStorage or sessionStorage. There are pros and cons in each option but for this app, we'll store it in sessionStorage.

Where should I store JWT token securely?

Use cookies to store JWT tokens – always secure, always httpOnly, and with the proper same site flag. This configuration will secure your client's data, it will prevent XSS and CSRF attack and also should simplify web application, because you do not have to care about using tokens manually on frontend code anymore.

Is the redux store secure?

No, there are no known vulnerabilities of using Redux. It doesn't really make sense to analyze redux this way because it's just holding javascript data in memory. It's no more or less secure than Javascript itself.

1 Answers

It doesn't really matter where you store it on the client side. If malicious code gets in through an XSS attack, nothing is really safe. If malicious code doesn't get in, nothing is really unsafe. Just don't have users sharing their stores with each other, and do the other stuff that's generally good security practice.

like image 113
Michael Pearson Avatar answered Sep 18 '22 08:09

Michael Pearson
Sign in to Comment

Related questions

Can TypeScript be used in conjunction with PhoneGap (or similar)?
API in Flask--returns JSON but HTML exceptions break my JSON client
How to create a visualizer for audio player [duplicate]
Bootstrap 3 - Scrollable content div
How to make a YouTube embedded video a full page width one?
Creating a sticky header on a thead
Remove Default round border of <select> element in Mac OS Browser:Chrome
Check element type in BeautifulSoup 3
How do I create a printer friendly HTML page?
Selector for not immediate child element
include a .handlebars or a .hbs file in html
Semantic UI - Keep thead visible when scrolling tbody
How to add Font Awesome icon into <input> button?
How to map Html files with web.xml?
How can I set the font-family & font-size inside of a div?
Shine effect automatically with css
render html strings in flask templates
flexbox div goes off screen on small screen
Use [ngValue] and [selected] in select tag
How to get html content of component in vue js

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!