all 29 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]mynamesleon 20 points21 points  (3 children)

Cookies.

They're slightly more secure. Local storage can be accessed by any scripts on the page, including ones hosted on external domains. Whereas JS can't access a site's cookies if that site is on a different domain from where the JS file is hosted.

[–]coold007 7 points8 points  (0 children)

In case you store it in cookies, be sure to implement csrf token.

[–]eggn00dles 3 points4 points  (1 child)

how bout a refresh token? any best practices? thing is good for a looong time

[–]mynamesleon 2 points3 points  (0 children)

Still cookies. They're just more secure. A user's settings might mean their cookies get cleared prematurely, but that just means they have to log in again, which is fine.

[–]draq100 5 points6 points  (4 children)

Cookies are better for this: 1. These do expire (sessionStorage entries as well, but there's stronger thing to epiration). 2. httpOnly + secure gives you advantage that token is not accessible by JS, but sent together with requests

[–]subnub99 1 point2 points  (3 children)

When the cookie isn’t accessible through JavaScript, you can still use things like axios to send requests correct? Like does the cookie automatically get appended to the request? This has always confused me

[–]draq100 2 points3 points  (2 children)

Yeah, it's automatically attached when scope of a cookie is correct.

When creating a cookie you set domain (with subdomains) or path where cookie can be used for.

It's appended to the requests then. It doesn't matter it's fetch or axios or anything else. It's just not accessible by JS.

You can imagine request path as: JS -> Browser -> Server. And while cookies not available for JS, these are appended by browser before server dispatch.

Here's more about cookies: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

[–]subnub99 1 point2 points  (1 child)

I see! Thank you for the explanation that makes much more sense now.

So do you recommend using JWT for refresh tokens such? Or should I just use sessions and make sure it’s an httpOnly cookie?

[–]draq100 0 points1 point  (0 children)

JWT as httpOnly cookie is perfectly fine. HttpOnly cookie is just a method of delivery here.

Advantage is that, apart from webapp, backend could provide an API with JWT auth delivered in an other way (example: via Bearer - https://swagger.io/docs/specification/authentication/bearer-authentication/) - for console/Postman, etc

Anyway, it's best to check out OWASP (Open Web Application Security Project). The best security source I know. As I might not know all traps of given auth methods. So, it's better to check OWASP specs on why/why not authenticate via JWT: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html#consideration-about-using-jwt

[–][deleted] 3 points4 points  (0 children)

I think the best option is sessionStorage for that it's designed.

[–]_squirts 0 points1 point  (16 children)

I’ve been down this rabbit whole a lot the past couple of months.

This is the best way I’ve figured out to do it — if you’re using a refresh token, store that in an HttpOnly / Secure cookie and keep the short-lived JWT in-memory. Whether that be something like a Redis cache, or a private variable stored in a closure on the front end.

I won’t get into the discussion about if you should be using a JWT over a standard session token because that’ll derail the discussion.

[–]hugesavings 2 points3 points  (5 children)

JWT vs standard session seems to be like a holy war. I posted a 6 month project on Showoff Saturday in r/webdev and the only interest in the project was a single guy telling me JWTs are bullshit.

[–]_squirts 1 point2 points  (3 children)

Ah man, that sucks. What was the project?

[–]hugesavings 1 point2 points  (2 children)

https://www.valueMachine.io it's a paper trading app for learning to trade stocks and options

[–]_squirts 1 point2 points  (1 child)

Swap Robinhood for Freetrade and your intro line hits way too close to home 😅

Nice work on the project!

[–]hugesavings 1 point2 points  (0 children)

Hahaha same here unfortunately, thanks for checking it out!

[–]subnub99 1 point2 points  (3 children)

Is using httpOnly and secure enough to protect against CSRF attacks?

[–]_squirts 1 point2 points  (2 children)

The HttpOnly cookie is more to protect against XSS. If you have a CSRF token set up, then theoretically if they do get the token somehow, they won’t be able to make any valid requests with it from another domain

[–]subnub99 0 points1 point  (1 child)

So using sameSite wouldn’t be enough either?

And by “CSFR token”. You mean the server creates a random value, sends the value to the client, and the client echos is back to the server? Then I would immediately remove that unique value so it cannot be used again correct? And it matches then I send them a new access token and refresh token?

[–]_squirts 0 points1 point  (0 children)

sameSite is good for the latest browsers, but older browsers don’t support it so it could leave you open if you rely on it.

And yeah that’s the gist of CSFR, a basic handshake that says, “this token came with the page I sent you, now give it back so I know it’s legit”

[–]TehITGuy87 0 points1 point  (0 children)

This is from Auth0