DEV Community

loading...

Discussion on: How to securely store JWT tokens.

Collapse
lukehglazebrook profile image
Luke Glazebrook

First off, great article! I've recently finished building an authentication system that works very similar to the one you've described but, with a distinct difference: I store the JWT across two cookies.

One cookie contains just the JWT header and payload and can be accessed by JavaScript, the other contains the signature but is Secure + HttpOnly. This way I can access the payload on the client without worrying about having the entire token potentially compromised.

Authentication in SPA the right way by Jean-Cristophe Baey describes this approach in a bit more detail.

Collapse
gkoniaris profile image
George Koniaris Author

Thank you very much. That's a very clever approach!!! I will definitely try it on my next projects.