Where should one store the authentication token in ASP.Net Core

Question

My application has an API part and a website-part. On the website, the user can log in and gets a JWT bearer token from the API.

My question now is:

Where should I store that token?

Some say, store it in Cookie (while others say "don't, because CSRF"), some say HTML5 Web Storage, others say use Session (while other say, "don't use Sessions in ASP Net Core") and I saw an article where someone stored the auth-token in a database (??). So, what's now the correct place?

Answer 1

MVC-web application with many controllers and a lot of views

If you have to use the token to authenticate every request to your MVC app I think the best option is store it in session cookie because, if not, the web browser are not going to send the token authomaticaly in every request and it will be a pain in the ass.

Now, to secure the cookie and requests:

• Make session cookie (no expiring date)
• Restrict the scope of the cookie all you can (domain and path).
• Set Secure and HttpOnly attribures.
• Set SameSite attribute.
• If browser does not support SameSite use an anti-CSRF token.
• Set restrictive X-Frame-Options.
• Do not forget to verify the JWT signature on your server on every request.
• Encrypt the JWT token to prevent leaking information that could lead to social engineering.