I usually use JWT tokens but I know this is not so secure because when you store the token on LocalStorage you are susceptible to attacks.
What is the best and most secure way for a good session and auth management?
CodePudding user response:
The generally accepted standard is storing JWT inside an httpOnly
cookie. So the JWT/Cookie will only be sent to the HTTP server and would not be accessible for reading or writing on the client side. To make it more secure you can set SameSite=strict
to eliminate cross site request forgery (CSRF) unless you require the JWT to fetch information from a different domain.
There probably are more secure ways to do this?, but I believe this would be more than enough for an average website.