DEV Community

Discussion on: LocalStorage vs Cookies: All You Need To Know About Storing JWT Tokens Securely in The Front-End

View post

Replies for: I've a question, if i submit a /refresh_token request in the attack code, can I get the user's access token? fetch('/refresh_token', { credent...

Collapse
 
rtorcato profile image
Richard Torcato

no, because the refresh token was a httponly, same site cookie unreadable by javascript. If the refresh token cookie is not there /refresh_token should fail.