2

I have built a basic REST API that uses Json Web Tokens for authentication. Currently, I have built my frontend to store the JWTs in localStorage. I have read this is insecure and want to switch to cookies. The login route on my API returns the JWT token pair back to the client (and the refresh token route returns the new access token).

As far as I understand, a attacker could do an XmlHttpRequest on the refresh token route while the user is logged in, and then access the new access token from the response. Is this true, is it a security issue, or can I keep returning the tokens (and also send the tokens in cookies)?

Improve this question
1
  • 1
    Issue refresh token to the user together with the access token to authorize refresh of the access token.
    – defalt
    Commented Jul 26, 2023 at 7:10

1 Answer 1

Reset to default
1

Cookie-based authentication is considered relatively insecure also.

While JWT offers protection against CSRF attacks, they do leave you vulnerable to XSS attacks. This is due to the fact that a malicious party could potentially execute a script to retrieve the JWT.

Conversely, embedding a token inside a cookie can effectively safeguard you against XSS attacks. However, the drawback is that it leaves you susceptible to CSRF attacks, as these tokens are automatically transmitted with each request by default.

The most comprehensive security approach is to incorporate both methods: placing the JWT token into a HTTP-only cookie.

In terms of securing the refresh route, there are several strategies that can be implemented. For instance, you could require the current token to be sent to the route. Subsequently, you could implement logic to embed it in the cookie. This approach renders the token useless to an attacker who doesn't already possess a prior JWT token.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .