DEV Community


Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

andreidascalu profile image
Andrei Dascalu • Edited

Errr, jwt shouldn't be stored neither in cookie or localstorage. They should be stored in memory (there's no perfect solution though, even cookies are vulnerable to csrf)

You should never need to invalidate jwts immediately, they should expire fast (a few minutes). To invalidate logins instantly there are a number of ways to do it. My favorite is an in validation marker. Any token with expiration date after an in validation marker will be rejected alongside any attached refresh token thus forcing the user to authenticate again.
You should never need to carry state in tokens. Tokens should help identify state for the backend.

Thread Thread
branislavlazic profile image
Branislav Lazic

Storing JWT access token in memory will make it vulnerable to XSS attacks. Fundamental of web security implementation is to presume that potential attacker knows how your implementation works. Storing access token in a cookie with httpOnly flag is a way to go. JS is unable to access httpOnly cookie. JWT indeed cannot be invalidated immediately without persisting some state which indicates that the token is invalidated or by rotating secret key used for its signing.

Thread Thread
andreidascalu profile image
Andrei Dascalu

Actually it's about the same. Nobody needs to "get" your token. Cookies are being sent on client side requests. Xss doesn't need to read your token, it needs to make requests on your behalf and can do so if your token is stored in cookie.

Forem Open with the Forem app