Closed ghost closed 5 years ago
@erosinger Whether we store our JWT in local/session storage or not http-only cookie both can be grabbed easily by XSS. Cookies are also vulnerable to cross-site request forgery (CSRF). There is also an issue with max size of the cookie which could be problematic if we have many claims attached to the token.
@erosinger I am closing this issue for now. If you still have questions, please feel free to reopen this issue.
@nehaagrawal Thanks for replying here. Your arguments sound good and we do not need to keep this open, if it has been thought about. Best, erosinger
Dear Team,
I am doing a security validation for a single page application. The application uses Azures recommended ADAL library to authenticate against an Azure AD.
As the IdToken provided by Azure is stored in either localStorage or sessionStorage, it can be intercepted by Cross Site Scripting. To my knowledge cookieStorage seems to be the best of the bad options to store the IdToken for a single page application. See Where to Store JWT & HTML5 Security Cheat Sheet
But in Microsoft's library cookieStorage is not supported. See /doc/adal.js
Is there any reason for this? Or can you recommend a workaround?
I am looking forward to your response.
Best, erosinger