The biggest difference when saving the JWT in a cookie would be the fact that when making an http request, the cookie would be sent with the request. But if you store the JWT in localstorage, you would have to send it explicitly with each http request. 🧐
Exactly. If you do it this way you end up with less boilerplate in your Api. The use of Passport.js is not incorrect, I just like to show that we can make simple and functional implementations. 🥸
Passport is a middleware with a good level of abstraction, for example, with jwt you wouldn't have to write that much code. In addition to being faster to implement, it is also the simplest. However, business rules can change from project to project so I advise people to know how to do a simple setup.
According to my research, storing auth tokens in localStorage and sessionStorage is insecure because the token can be retrieved from the browser store in an XSS attack. Cookies with the httpOnly flag set are not accessible to clientside JS and therefore aren't subject to XSS attacks.
After learning this, I tried implementing an Authorization: Bearer XXXXXXXXX request header, but keeping the token stored safely in the cookie. Then I realized I won't be able to copy the token from the cookie to the request header if I can't access it with clientside JS (httpOnly, remember?)
I've therefore come to conclude that saving the token in an httpOnly cookie and sending it to the server as a request cookie is the only secure way of using JWT.
Why would I use cookie based JWT authentication?
then you don't need to read the localstorage each time and manually send the token alongside every request from the client .
Thanks for the feedback! 😊 I usually keep the JWT on localstorage. But I know a lot of people who prefer to keep it in cookies. 😉
Sure, I'm just curious to know what is the benefit of using JWT inside cookies? Thanks.
The biggest difference when saving the JWT in a cookie would be the fact that when making an http request, the cookie would be sent with the request. But if you store the JWT in localstorage, you would have to send it explicitly with each http request. 🧐
Ahan, I understand. I wasn't sure if this was for a server-side website. Meaning, we don't have to use packages like Passport.js with this approach.
Exactly. If you do it this way you end up with less boilerplate in your Api. The use of Passport.js is not incorrect, I just like to show that we can make simple and functional implementations. 🥸
please can you tell me what is the exact role of passport strategy next to the normal jwt?
Passport is a middleware with a good level of abstraction, for example, with jwt you wouldn't have to write that much code. In addition to being faster to implement, it is also the simplest. However, business rules can change from project to project so I advise people to know how to do a simple setup.
According to my research, storing auth tokens in
localStorage
andsessionStorage
is insecure because the token can be retrieved from the browser store in an XSS attack. Cookies with thehttpOnly
flag set are not accessible to clientside JS and therefore aren't subject to XSS attacks.After learning this, I tried implementing an
Authorization: Bearer XXXXXXXXX
request header, but keeping the token stored safely in the cookie. Then I realized I won't be able to copy the token from the cookie to the request header if I can't access it with clientside JS (httpOnly
, remember?)I've therefore come to conclude that saving the token in an httpOnly cookie and sending it to the server as a request cookie is the only secure way of using JWT.
Wow, I didn't know that!