Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is storing an OAuth token in cookies bad practice?

Tags:

html

web-applications

cookies

oauth

oauth-2.0

Is storing an OAuth 2 token in cookies bad practice? If so, what are alternatives for a web app?

like image 398
Tryingitall987 Avatar asked Dec 10 '16 14:12

Tryingitall987

People also ask

Is it safe to store auth token in cookie?

Local storage is vulnerable because it's easily accessible using JavaScript and an attacker can retrieve your access token and use it later. However, while httpOnly cookies are not accessible using JavaScript, this doesn't mean that by using cookies you are safe from XSS attacks involving your access token.

Where should OAuth tokens be stored?

Tokens received from OAuth providers are stored in a Client Access Token Store. You can configure client access token stores under the Libraries > OAuth2 Stores node in the Policy Studio tree view.

Is an auth token a cookie?

Cookies and tokens are two common ways of setting up authentication. Cookies are chunks of data created by the server and sent to the client for communication purposes. Tokens, usually referring to JSON Web Tokens (JWTs), are signed credentials encoded into a long string of characters created by the server.

Is it safe to store JWT in cookie?

To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server. It's never accessible (both for reading or writing) from JavaScript running in the browser.

1 Answers

Whether you can store the access_token in cookies depends on following things:

  1. Is the access_token stored in cookie encrypted or not (it definitely should be)
  2. Access_token is a bearer token so it is not tied to browser flows. Cookies in general are meant for maintaining state in browsers. So if lifecycle of token is same as cookie, go ahead otherwise not. When I say lifecycle, I mean lifespan, etc.
  3. Also, please consider this fact too that access token is not identity token
  4. Access tokens are completely client side, and servers that generally use cookies to maintain sessions, mostly maintain matching server side session as well.

I hope this helps.

like image 181
dvsakgec Avatar answered Sep 28 '22 04:09

dvsakgec
Sign in to Comment

Related questions

Firefox cache textarea value?
CSS Selector for Child of Parent's Sibling Element
Apply Stripe Coupon
height:100% inside table-cell not working on Firefox and IE
Range Slider Event Handler Javascript
Should <head> and <body> tags be on a different level of indentation to <html>?
img tag not working with relative path in src
How to Add Smooth Scrolling Back To Top Button using react js?
Chrome is not clearing cache
Disable Chrome's default headers & footers in headless print-to-pdf
Get (text) in XPath
Specify parent divs opacity but make it not affect children HTML elements
Why does the .tagName DOM property return an uppercase value?
Why does my first inline-block element have space above it
HTML Templates JavaScript polyfills
html data- attributes in ember.js handlebars
Overlay that covers only parent div
How do I take code from Codepen, and use it locally?
Remove space between two trapezoids
get text after specific tag with beautiful soup

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!