Day 29 of #100DaysOfCode: store JWT to HttpOnly Cookie instead of the localStorage

#100daysofcode #jwt #webdev #backend

Introduction

100DaysOfCode is a series of articles to record the process of learning programming. It just like a diary. I prefer to write small paragraph or paste a link to details so that I can write everyday.
Feel free to check the link if you want to know more details, thank you!

I develop an SPA application on Django/DWF recently. I used JSON Web Token (JWT) to authorize users for login and other operations. It’s Okay for me to create endpoints with JWT secure, exchange JWT with social medias’ access token.

However, the security issue is a critical issue for JWT. Where should we store the JWT? I tried some ways and wrote this note.

Details

Please refer to my article for details.

https://medium.com/a-layman/where-should-we-store-the-jwt-for-spa-memory-cookie-or-localstorage-2491912d8e79

It includes the following topics.

The safest place: Browser’s Memory
Should we store JWT in the LocalStorage?
Double tokens policy: HttpOnly Cookie + CSRF token
Summary

Articles

There are some of my articles. Feel free to check if you like!

My blog-posts for software developing: https://medium.com/a-layman
My website: https://www.alayman.io/
Facebook page: https://www.facebook.com/imalayman

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.