DEV Community

loading...

Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

Collapse
sean_snd profile image
Sean Nicholas

Imho storing the jwt in a httpOnly cookie does only increase security a little bit. It only prevents stealing the jwt.

But an attacker using a xss vulnerability in your app has still full access and could easily do every attack from within your app with your credentials assigned.

Changing the attack from stealing a jwt to running the malicious request directly in your browser is pretty easy. So if you think you are save with httpOnly you're unfortunately wrong.

That said: security is a layered approach. The more layers the better. But I think this specific layer does not add a big barrier for an attacker and does make other things harder (for example reading the content of the jwt).

I would still save my jwt in local storage. If you have a case vulnerability you are screwed anyways 😅

Collapse
jonathanihm profile image
Jonathan

I disagree, localStorage is a few factors more insecure than httpOnly cookies. Obviously neither way are immune to XSS 100%, but I feel the statement "a little more secure" is inaccurate. Yes, it depends on implementation but naturally the httpOnly cookie would see XSRF attacks rather than an XSS.

stackoverflow.com/questions/348176....

Cheers!

Collapse
sean_snd profile image
Sean Nicholas

Hey Jonathan,

the answer in the stackoverflow article you linked does explain exactly what I mean: "So in reality you are still susceptible to XSS, it's just that attacker can't steal you JWT token for later use, but he can still make requests on your users behalf using XSS."

If you have XSS on your site it does not matter where you put your JWT. Because the attacker can send requests on behalf of the current user. Only thing is he can't copy your JWT and use it on his computer. But no need for that, he can just use the XSS vuln to send a request to /admin/drop-all-the-tables or get data from /admin/users and send it to his server.

It's just a bit more secure as it is not as easy for the attacker as querying the localstorage and sending it to his server. But the overhead to write a XSS remote shell is not that hard (pretty sure there are tools out there that do exactly this).

So what you get: A tiny bit more security but a lot more inconvenience. For example: You can't read the JWT in your app (because it is stored in httpOnly) and use the userId or other information that is coded in the JWT in your app.

Thread Thread
jonathanihm profile image
Jonathan

Agree to disagree- it really depends on the application, but when we are talking JUST in the context of pure security JUST from XSS, localStorage is not the best option. Obviously you do need localStorage for things like state management. My issue is just the wording "a bit more" when in reality its "a lot more".

Forem Open with the Forem app