DEV Community


Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

branislavlazic profile image
Branislav Lazic

Storing them in local storage makes them indeed vulnerable to XSS attacks. If you think about old fashion way of XSS when an attacker submits a malicious JS code through some field... naha... we’re past those days. Every modern JS project is using a ton of 3rd party dependencies. And there’s your source of XSS attacks. Yes, you can store both access (I really don’t know why people constantly call them JWT, since JWT is just a format) tokens and refresh tokens in database, but what’s the advantage over session based auth?

Forem Open with the Forem app