re: How to securely store JWT tokens. VIEW POST


A technique I use is to split the JWT into two cookies. The header + payload accessible through JavaScript (for client-side reading of the claims), and the signature is HTTP only (not accessible through JavaScript). Align cookie expiration with JWT expiration for auto-logout.



I use this.

Header + Payload are stored in LocalStorage and sent in a header with fetch.
Signature is in a cookie with HttpOnly.

The server stitches the header with the cookie and then validates the JWT. This works well in IE 11 which does not support SameSite cookies.

code of conduct - report abuse