I think a lot of the responders have missed a very big point. JWT's that gives someone god like full access to every single API endpoint is bad. We know this. This is regardless of whether it is in a SPA or whatever else. But a significant number of tutorials specifically illustrate how to do this. In turn, every user has all access or no access.
Now come on, we are better than that, right?
Then, we decide to put these tokens in a place where anything has unrestricted access to the value. Sure, someone can get a hold of the cookie or do some magic to send requests as if they are you. But why even bother if I can just read the value from local storage. Hey thanks for the token. This god like power token is mine and I will use it for the... oops, you didn't set an expiration.
I guess you'll invalidate all of your user's tokens by changing your secret. Weeeeeelllllllllllll, hopefully you didn't follow the tuts and store your keys in such a way that you have to do a new deploy. Either way, now you just logged your users off in the middle of their purchase. Maybe they were customizing a product. Maybe they were finalizing a purchase. They click next and booooooommmmm!!!! They aren't logged in. I guess I'd go to amazon then.
If you were to practice being honest about security issue, you would tell me that you invalidated my login because another user's had their's compromised. I'd probably stop trusting you. Just stop for a second and say the words out loud. "I'm going to build a security layer that requires that I invalidate all users logins if a single user is compromised." Small app or big app, doesn't matter, that's just a terrible idea and should be reserved for catastrophic last resorts.
Now, if you have made it this far, you're thinking "Forget this guy, I know more than him because I'm a high IQ googler..." Well, here's a few others that just say no to doing stupid and careless things with people's secure data. Honestly, you all should be ashamed of yourselves. tsk, tsk.
Browser local storage (or session storage) is not a secure place to store sensitive information. Any data stored there:
That's enough for now. Funny how OWASP recommends using cookies.....
As smokey the bear say's, "Only you can prevent people's secure data from being leaked by half reading documentation and trusting what that guy Steve said on StackOverflow." Ok, maybe Smokey didn't say that. But seriously, are you going to trust Steve? Come on, it's Steve.
Just wanted to add a little more...
You wouldn't store passwords in local storage, right? If you just handed me a password, I'd still have to do at least some work to find out what user it went to. Think about it, just a password sitting out in the open can only do damage if I know the corresponding username. Does this hold true with tokens... No, Steve, it doesn't. A token by itself is enough, most of the time.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.