Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should I store JWT tokens in IndexedDB?

Tags:

cookies

jwt

After reading some articles, I realize that using localStorage and sessionStorage is a bad idea for storing JWT tokens, and cookies with httpOnly should be used instead.

As I read more and learn some about indexedDB today, I wonder if indexedDB is a secure option for storing JWT tokens as well?

like image 765
Hugo Sum Avatar asked Jun 13 '20 13:06

Hugo Sum

People also ask

Where should I store my JWT token?

To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that's only sent in HTTP requests to the server. It's never accessible (both for reading or writing) from JavaScript running in the browser.

Is it safe to store JWT token in LocalStorage?

A JWT needs to be stored in a safe place inside the user's browser. Any way,you shouldn't store a JWT in local storage (or session storage). If you store it in a LocalStorage/SessionStorage then it can be easily grabbed by an XSS attack.

Should I store JWT in cookie or LocalStorage?

Storing Your JWT/Auth Token The attacker could then make false requests, modify your user's data in the database, and do a lot of damage for your application as well as users. Hence, it's always best to store JWTs in http only cookies.

How do I protect my JWT tokens?

There are two critical steps in using JWT securely in a web application: 1) send them over an encrypted channel, and 2) verify the signature immediately upon receiving it. The asymmetric nature of public key cryptography makes JWT signature verification possible.

1 Answers

The short answer is NO, as you are pretty much convinced using localStorage and sessionStorage is a bad idea. IndexedDB is also vulnerable to cross-site scripting (XSS) attacks similar to local storage.

Regardless of security -

  1. IndexedDB API is powerful but may seem too complicated (I'd go so far as to say 'horrific') for simple use cases such as storing jwt token. Because, even for this implementation, you will have to write more code. (More code, which means maybe more bugs). Just be aware of the steep learning curve when you're getting started with it.
  2. IndexDB is not actually designed for such use cases. It is designed to work with significantly larger amounts of structured data. For basic key-value operations, IndexedDB performance takes a hit.
  3. Browser support for IndexedDB isn't also quite good.
like image 110
Pankaj Tanwar Avatar answered Sep 28 '22 04:09

Pankaj Tanwar
Sign in to Comment

Related questions

Is it possible for jQuery cookies to expire like session variables?
How to properly and securely handle cookies and sessions in Python's Flask?
Cordova session cookies don't work on Android Lollipop
Python: how to dump cookies of a mechanize.Browser instance?
Session cookies = cookies?
htaccess compare cookie value and redirect if evaluation returns true/false
How to store user session in AngularJS?
Android webview read cookies
remove cookies from browser
Delete cookies in .net core 2.0
jQuery getJSON doesnt send cookies
Remove cookie on log-out
Puppeteer get 3rd-party cookies
How do I set a cookie with a (ruby) rack middleware component?
Command to clear the cookie-based session store in Rails
Having separate cookie storage for two UIWebView?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!