Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is storing an OAuth token in cookies bad practice?

Is storing an OAuth 2 token in cookies bad practice? If so, what are alternatives for a web app?

like image 398
Tryingitall987 Avatar asked Dec 10 '16 14:12

Tryingitall987


People also ask

Is it safe to store auth token in cookie?

Local storage is vulnerable because it's easily accessible using JavaScript and an attacker can retrieve your access token and use it later. However, while httpOnly cookies are not accessible using JavaScript, this doesn't mean that by using cookies you are safe from XSS attacks involving your access token.

Where should OAuth tokens be stored?

Tokens received from OAuth providers are stored in a Client Access Token Store. You can configure client access token stores under the Libraries > OAuth2 Stores node in the Policy Studio tree view.

Is an auth token a cookie?

Cookies and tokens are two common ways of setting up authentication. Cookies are chunks of data created by the server and sent to the client for communication purposes. Tokens, usually referring to JSON Web Tokens (JWTs), are signed credentials encoded into a long string of characters created by the server.

Is it safe to store JWT in cookie?

To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server. It's never accessible (both for reading or writing) from JavaScript running in the browser.


1 Answers

Whether you can store the access_token in cookies depends on following things:

  1. Is the access_token stored in cookie encrypted or not (it definitely should be)
  2. Access_token is a bearer token so it is not tied to browser flows. Cookies in general are meant for maintaining state in browsers. So if lifecycle of token is same as cookie, go ahead otherwise not. When I say lifecycle, I mean lifespan, etc.
  3. Also, please consider this fact too that access token is not identity token
  4. Access tokens are completely client side, and servers that generally use cookies to maintain sessions, mostly maintain matching server side session as well.

I hope this helps.

like image 181
dvsakgec Avatar answered Sep 28 '22 04:09

dvsakgec