Best option to store jwt token.
CodePudding user response:
As told in my answer here, using cookies is better on the fact that it is available on both client and server.
But it is also more secure to do this than passing by localStorage.
You can google for more questions if you want further in-depth details!
CodePudding user response:
Localstorage is in my opinion the worst option.
Localstorage is accessible via javascript that means that an successfull XSS could read out the cookie and send it to the attacker.
I would rather use cookie. Why you might ask
Well you can:
- Set
httpOnly
to true: This does not allow javascript in the browser to read the cookie. Only the server can read it - Set
secure
to true: A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS. The problem you might face is if you develop your application then you usually dont have https. Therefore you should make a if else statement likesecure: process.env.NODE_ENV === 'production' ? true : false
- Set
SameSite
to strict: This means only your domainexample.com
can read the cookie.
To making it more secure you can even sign
your cookie.
Here an example how to create an cookie with express.js
res.cookie("myCookie", "my cookie value", {
httpOnly: true,
sameSite: 'strict',
secure: process.env.NODE_ENV === 'production' ? true : false,
maxAge: 360000
})
CodePudding user response:
yes, i suggest nuxt-auth module. this module has multiple schemes to authenticate users including localstorage and cookie and will prevent a lot of headache.