DEV Community

loading...

Discussion on: Secure JSON Web Token with Unique Browser IDs

Collapse
samsch_org profile image
Samuel Scheiderich

This provides only an incomplete small additional security feature.

The correct solution to authentication is to use server-side ("stateful") sessions where you validate the sessionID from the client against your database for every request, and the sessionID is stored only in an httpOnly cookie.

Using an httpOnly cookie provides a complete fix for the security issue described here by making it impossible to steal the token without user-level/physical access to the browser (which isn't generally possible to protect against, including by your method).

Stop using localStorage for authentication: rdegges.com/2018/please-stop-using...
And Stop Using JWTs! gist.github.com/samsch/0d1f3d3b474...