DEV Community


Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

darkwiiplayer profile image
DarkWiiPlayer • Edited

Arguing that you shouldn't store access tokens in local storage because XSS is akin to arguing you shouldn't store your underwear in wooden drawers in case your house burns down. If you have a XSS vulnerability, you're screwed, and so are your users if you don't notice it quickly and shut everything down.

Local storage as least as long as everything else on your site is safe. If local storage is compromised, your house is on fire.

As for quick expiry: what's the point when an attack can happen in a matter of seconds after a token has been exfiltrated? The moment the access information gets to a malicious server, count to 3 and you've bought ten washing machines delivered to india, rated 30k products with 5 stars and sent an 20 messages with scam links to each of your contacts. Using short-lived tokens is only an option for invalidating old sessions reasonably quickly without hammering the database for every request; but it doesn't add much security beyond this.

If you think you need safer technology for your access tokens, you're probably looking at the wrong place, and should instead consider adding other layers of security: Asking for a password, or at least running much more secure checks on important actions (Buy things, delete things, transfer ownership of things, etc.); Give users an option to invalidate all of their sessions and do this automatically if they change their password, email, or other such information; send out emails for certain actions, if not asking for confirmation, then at least to inform the user and possibly giving them a way to revert whatever changes were made.

Forem Open with the Forem app