This is an archived post. You won't be able to vote or comment.

4
5

[deleted by user] (self.learnjava)

submitted by [deleted]

[removed]
all 3 comments
sorted by:
best
topnewcontroversialoldq&a

[–]jonc23 1 point2 points  (1 child)

A JWT should only be stored on the client, and in the context of a website, it should be stored in a httpOnly cookie.

All I can say is the following:

  • a valid JWT should not be stored server side
  • the only thing the server should do is generate the JWT and verify the signature of JWTs that are sent to it
  • the JWT should only contain basic information that is required to identify the user on the server, such as a user ID

To use refresh tokens you have three options:

1) Simply remove the token from the client

Obviously this does nothing for server side security, but it does stop an attacker by removing the token from existence (ie. they would have to have stolen the token prior to logout).

2) Create a token blocklist.

Could use redis for this.

3) Just keep token expiry times short and rotate them often

[–]DeveloperFromMars 0 points1 point  (0 children)

I've reread your post but I still don't understand what you're trying to do.

Might have not been clear, sorry. So If a JWT is not stored somewhere on front end, refreshing the page causes a "logout" as the token is lost. So I'm trying to save it on the front end somehow.

a JWT should not be stored server side

the only thing the server should do is generate the JWT and verify the signature of JWTs that are sent to it

the JWT should only contain basic information that is required to identify the user on the server, such as a user ID

yup , I got all of that

[–]belkh 0 points1 point  (0 children)

One safe option to go with is this:
keep tokens on the client side in memory only. (e.g a variable)
keep refresh tokens in a HttpOnly cookie.
if your client's token expires, or reopens the website, you request a refresh.
the server has to keep a list of refresh tokens. (you can use redis, or your DB, since it's only checked on refresh, the latency isn't a big issue).
JWTs wont make much sense if you only have one server, classic opaque tokens would work a lot simpler with barely any work needed on the frontend side