DEV Community


Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

jonathanihm profile image

I disagree, localStorage is a few factors more insecure than httpOnly cookies. Obviously neither way are immune to XSS 100%, but I feel the statement "a little more secure" is inaccurate. Yes, it depends on implementation but naturally the httpOnly cookie would see XSRF attacks rather than an XSS.


sean_snd profile image
Sean Nicholas

Hey Jonathan,

the answer in the stackoverflow article you linked does explain exactly what I mean: "So in reality you are still susceptible to XSS, it's just that attacker can't steal you JWT token for later use, but he can still make requests on your users behalf using XSS."

If you have XSS on your site it does not matter where you put your JWT. Because the attacker can send requests on behalf of the current user. Only thing is he can't copy your JWT and use it on his computer. But no need for that, he can just use the XSS vuln to send a request to /admin/drop-all-the-tables or get data from /admin/users and send it to his server.

It's just a bit more secure as it is not as easy for the attacker as querying the localstorage and sending it to his server. But the overhead to write a XSS remote shell is not that hard (pretty sure there are tools out there that do exactly this).

So what you get: A tiny bit more security but a lot more inconvenience. For example: You can't read the JWT in your app (because it is stored in httpOnly) and use the userId or other information that is coded in the JWT in your app.

Thread Thread
jonathanihm profile image

Agree to disagree- it really depends on the application, but when we are talking JUST in the context of pure security JUST from XSS, localStorage is not the best option. Obviously you do need localStorage for things like state management. My issue is just the wording "a bit more" when in reality its "a lot more".

Forem Open with the Forem app