DEV Community

loading...

Discussion on: How to securely store JWT tokens.

Collapse
franky47 profile image
François Best

A technique I use is to split the JWT into two cookies. The header + payload accessible through JavaScript (for client-side reading of the claims), and the signature is HTTP only (not accessible through JavaScript). Align cookie expiration with JWT expiration for auto-logout.

medium.com/lightrail/getting-token...

Collapse
gkoniaris profile image
Collapse
charlesgiroux profile image
Charles-Antoine Giroux

I use this.

Header + Payload are stored in LocalStorage and sent in a header with fetch.
Signature is in a cookie with HttpOnly.

The server stitches the header with the cookie and then validates the JWT. This works well in IE 11 which does not support SameSite cookies.