For this reason alone we shouldn't use internet...
If you have xss on your page... there are worse things than a token.
What they can do with a token? Access the account? Then what? Bohoo nothing.
You can ask for password for "confidential" data that really hurts the user. Every bank does it, you can do too.
The only reason is XSS. And that it's mitigated by any good framework out there(Symfony, Laravel, etc).
JWT tokens can be used everywhere. Not everyone has the luxury to have everything on one server.
JWT are insecure if you don't know how to use it. You can pretty much make a JWT 5 minutes required refresh and 24 hours expiring...
More than that if you really don't like them being stateless(but thats another problem) you can put an id on them and save in database but that defeats the purpose.
You can attach a ip to the JWT. Makes it even harder to steal.
I mean i lock my door when i leave the house. I don't put a tank in front of it, hire 20 bodyguards and buy a flamethrower ...
JWT can have any number of object you want.
It's a json...
Any request to an has a requester data... you can particularise from there, or any other method and make it very unique for user and harder to just take it and reuse it.
Did i say you have a universal solution? No. You need to make it your own.
If you are afraid of tehnology than thats on you. But tools are there to be used not be afraid because of "problems".
LocalStorage has some drawbacks, but has good parts as well... Tokens are used everywhere ... even to log in on this websites.
Lets not talk the iframe solution which is implemented and has security flaws as well(looking at you google).
For this reason alone we shouldn't use internet...
If you have xss on your page... there are worse things than a token.
What they can do with a token? Access the account? Then what? Bohoo nothing.
You can ask for password for "confidential" data that really hurts the user. Every bank does it, you can do too.
The only reason is XSS. And that it's mitigated by any good framework out there(Symfony, Laravel, etc).
JWT tokens can be used everywhere. Not everyone has the luxury to have everything on one server.
JWT are insecure if you don't know how to use it. You can pretty much make a JWT 5 minutes required refresh and 24 hours expiring...
More than that if you really don't like them being stateless(but thats another problem) you can put an id on them and save in database but that defeats the purpose.
You can attach a ip to the JWT. Makes it even harder to steal.
I mean i lock my door when i leave the house. I don't put a tank in front of it, hire 20 bodyguards and buy a flamethrower ...
How do you attach an IP to a JWT? And even if you manage to do that, how do you then use an IP bound JWT from an SPA or mobile app?
Simple. You can put it in the jwt ...
JWT can have any number of object you want.
It's a json...
Any request to an has a requester data... you can particularise from there, or any other method and make it very unique for user and harder to just take it and reuse it.
Did i say you have a universal solution? No. You need to make it your own.
If you are afraid of tehnology than thats on you. But tools are there to be used not be afraid because of "problems".
LocalStorage has some drawbacks, but has good parts as well... Tokens are used everywhere ... even to log in on this websites.
Lets not talk the iframe solution which is implemented and has security flaws as well(looking at you google).
depends on the value of your project or house..