Where to save a JWT in a browser-based application and how to use it

by

Choosing the storage is more about trade-offs than trying to find a definitive best choice. Let’s go through a few options:

Option 1 – Web Storage (localStorage or sessionStorage)

Pros

  • The browser will not automatically include anything from Web storage into HTTP requests making it not vulnerable to CSRF
  • Can only be accessed by Javascript running in the exact same domain that created the data
  • Allows to use the most semantically correct approach to pass token authentication credentials in HTTP (the Authorization header with a Bearer scheme)
  • It’s very easy to cherry pick the requests that should contain authentication

Cons

  • Cannot be accessed by Javascript running in a sub-domain of the one that created the data (a value written by example.com cannot be read by sub.example.com)
  • ⚠️ Is vulnerable to XSS
  • In order to perform authenticated requests you can only use browser/library API’s that allow for you to customize the request (pass the token in the Authorization header)

Usage

You leverage the browser localStorage or sessionStorage API to store and then retrieve the token when performing requests.

localStorage.setItem('token', 'asY-x34SfYPk'); // write
console.log(localStorage.getItem('token')); // read

Option 2 – HTTP-only cookie

Pros

  • It’s not vulnerable to XSS
  • The browser automatically includes the token in any request that meets the cookie specification (domain, path and lifetime)
  • The cookie can be created at a top-level domain and used in requests performed by sub-domains

Cons

  • ⚠️ It’s vulnerable to CSRF
  • You need to be aware and always consider the possible usage of the cookies in sub-domains
  • Cherry picking the requests that should include the cookie is doable but messier
  • You may (still) hit some issues with small differences in how browsers deal with cookies
  • ⚠️ If you’re not careful you may implement a CSRF mitigation strategy that is vulnerable to XSS
  • The server-side needs to validate a cookie for authentication instead of the more appropriate Authorization header

Usage

You don’t need to do anything client-side as the browser will automatically take care of things for you.

Option 3 – Javascript accessible cookie ignored by server-side

Pros

  • It’s not vulnerable to CSRF (because it’s ignored by the server)
  • The cookie can be created at a top-level domain and used in requests performed by sub-domains
  • Allows to use the most semantically correct approach to pass token authentication credentials in HTTP (the Authorization header with a Bearer scheme)
  • It’s somewhat easy to cherry pick the requests that should contain authentication

Cons

  • ⚠️ It’s vulnerable to XSS
  • If you’re not careful with the path where you set the cookie then the cookie is included automatically by the browser in requests which will add unnecessary overhead
  • In order to perform authenticated requests you can only use browser/library API’s that allow for you to customize the request (pass the token in the Authorization header)

Usage

You leverage the browser document.cookie API to store and then retrieve the token when performing requests. This API is not as fine-grained as the Web storage (you get all the cookies) so you need extra work to parse the information you need.

document.cookie = "token=asY-x34SfYPk"; // write
console.log(document.cookie); // read

Additional Notes

This may seem a weird option, but it does has the nice benefit that you can have storage available to a top-level domain and all sub-domains which is something Web storage won’t give you. However, it’s more complex to implement.

Conclusion – Final Notes

My recommendation for most common scenarios would be to go with Option 1, mostly because:

  • If you create a Web application you need to deal with XSS; always, independently of where you store your tokens
  • If you don’t use cookie-based authentication CSRF should not even pop up on your radar so it’s one less thing to worry about

Also note that the cookie based options are also quite different, for Option 3 cookies are used purely as a storage mechanism so it’s almost as if it was an implementation detail of the client-side. However, Option 2 means a more traditional way of dealing with authentication; for a further read on this cookies vs token thing you may find this article interesting: Cookies vs Tokens: The Definitive Guide.

Finally, none of the options mention it, but use of HTTPS is mandatory of course, which would mean cookies should be created appropriately to take that in consideration.

More Related Contents:

  1. Detecting if a browser is using Private Browsing mode
  2. How to read a HttpOnly cookie using JavaScript
  3. Do I have to store tokens in cookies or localstorage or session?
  4. CORS cookie credentials from mobile WebView loaded locally with file://
  5. How to prevent direct access to my JSON service?
  6. How to secure javascript code from being run on other domain (stolen) ? need more ideas
  7. Why is using the JavaScript eval function a bad idea?
  8. How to delete a cookie?
  9. Invalidating JSON Web Tokens
  10. How do I uniquely identify computers visiting my web site?
  11. Javascript getCookie functions
  12. Delete cookie by name?
  13. Display A Popup Only Once Per User
  14. How do I create and read a value from cookie with javascript?
  15. Why do people put code like “throw 1; ” and “for(;;);” in front of json responses? [duplicate]
  16. Check if third-party cookies are enabled
  17. How can I set a cookie with expire time?
  18. AngularJS $http and $resource
  19. How to expire a cookie in 30 minutes using jQuery?
  20. What are the AES parameters used and steps performed internally by crypto-js while encrypting a message with a password?
  21. Javascript document.cookie always returns empty string
  22. How can I handle browser tab close event in Angular? Only close, not refresh
  23. Security Issues for allowing users to add own JavaScript to your site?
  24. Safari not sending cookie even after setting SameSite=None; Secure
  25. Why does Google prepend while(1); to their JSON responses?
  26. Why cookies and set-cookie headers can’t be set while making xmlhttprequest using setRequestHeader?
  27. Getting setting cookies on different domains, with JavaScript or other
  28. Exploiting JavaScript’s eval() method
  29. Why is “javascript:” pseudo-protocol stripped from URL bar when pasted?
  30. Adding X-CSRF-Token header globally to all instances of XMLHttpRequest();

Leave a Comment