See I do the same although I use cookies to store as I need to be able to share token on multiple subdomains (don't ask me why just have to). The article is a little bit misleading in terms of what is the impact of someone hijacking your JWT token. Technically if they have compromised your machine they pretty much hold you by the short and curlies and can access far more sensitive data than your JWT token.
Hey! You might enjoy this talk I've given on the cross-domain stuff: youtube.com/watch?v=pYeekwv3vC4 I cover using cookies with cross-domain and the proper way to do it towards the middle of the talk.
Oh I totally understand needing to be able to share the token across subdomains. It helps with deployment flexibility.
One note of caution though. I realized later that what I described at the end (putting the JWT in a cookie) opens itself up to XSRF attacks unless other precautions are taken. Common ones are anti-forgery tokens (which requires keeping some session state) or using CORS with appropriate Origin restrictions.
See I do the same although I use cookies to store as I need to be able to share token on multiple subdomains (don't ask me why just have to). The article is a little bit misleading in terms of what is the impact of someone hijacking your JWT token. Technically if they have compromised your machine they pretty much hold you by the short and curlies and can access far more sensitive data than your JWT token.
Hey! You might enjoy this talk I've given on the cross-domain stuff: youtube.com/watch?v=pYeekwv3vC4 I cover using cookies with cross-domain and the proper way to do it towards the middle of the talk.
Cheers! I'll have a look.
Hahhaa I like how it's called JSON Web Tokens Suck... I kinda agree :D
Oh I totally understand needing to be able to share the token across subdomains. It helps with deployment flexibility.
One note of caution though. I realized later that what I described at the end (putting the JWT in a cookie) opens itself up to XSRF attacks unless other precautions are taken. Common ones are anti-forgery tokens (which requires keeping some session state) or using CORS with appropriate Origin restrictions.
Yeah we do that already and actually upgrading platform to stop relying on the client generated cookies and switching to http only