Interesting topic. Since I'm creating my first real bigger project with a Node.js Api and React Redux Client I need authentication.
Now I'm at the point where I don't know how to handle authentication "the right way".
Since I read many topics about it but the oppinions differ.
So at first there are the people that say instantly: Don't use localStorage with JWT.
For example here is an article: https://dev.to/rdegges/please-stop-using-local-storage-1i04
Here is another article from auth0: https://auth0.com/docs/security/store-tokens
But then I digged deeper into the wide world of authentication and I found many people stating:
"localStorage is as secure as a cookie"
For example from the first article the first comment, the third reply (here is a link: https://dev.to/jondubois/comment/373l )
I mean he got a point right? After reading that and some other articles and comments that say it's perfectly fine to store it in localStorage if you are not a bank with very sensible data.
So here I'm in 2019, not a beginner but also not an experienced developer, asking myself how I should implement this authentication flow without beeing too over compliacated (there are flows for storing the jwt into a httpOnly cookie for example) but on the other hand also not very easy to hack.
I'm trying to create a forum application. You can register, create your own forum and then other users can register for this forum. So basic authentication where I just send the user_id and token with the JWT.
I would really appreciate to here you oppinions and your recommendations guys.
A JWT needs to be stored in a safe place inside the user's browser. Any way,you shouldn't store a JWT in local storage (or session storage). If you store it in a LocalStorage/SessionStorage then it can be easily grabbed by an XSS attack.
Storing Your JWT/Auth Token Hence, it's always best to store JWTs in http only cookies. Http only cookies are special cookies that cannot be accessed by client side JavaScript. This way they're secure against XSS attacks.
However, people don't recommend to save JWT in the localStorage. The security reason for localStorage is Cross-Site Scripting(XSS). Attackers can use JavaScript to manipulate data in the localStorage.
Use cookies to store JWT tokens – always secure, always httpOnly, and with the proper same site flag. This configuration will secure your client's data, it will prevent XSS and CSRF attack and also should simplify web application, because you do not have to care about using tokens manually on frontend code anymore.
I'm looked for this answer too, and finally, I found really interesting and helpful articles about the security of JWT token, that is:
- https://security.stackexchange.com/questions/179487/store-splitted-jwt-for-csrf-protection-and-refresh-strategy
- https://medium.com/@jcbaey/authentication-in-spa-reactjs-and-vuejs-the-right-way-e4a9ac5cd9a3
TL;DR you should store 1st part of token in cookies with httpOnly: true
parameter and rest of token in cookies without httpOnly
argument and Javascript can take and use in the browser your JWT payload information.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With