access token should not be stored in httponly cookie

IndominusByte / fastapi-jwt-auth

FastAPI extension that provides JWT Auth support (secure, easy to use, and lightweight)

http://indominusbyte.github.io/fastapi-jwt-auth/

MIT License

627 stars 143 forks source link

access token should not be stored in httponly cookie #63

Open chiu0602 opened 2 years ago

chiu0602 commented 2 years ago

To enhance security, I store the token in cookie with following code:

class Settings(BaseModel):
    authjwt_token_location: set = {'cookies'}

If the tokens are stored in cookies, they are not readable by JS (as HttpOnly flag is ON), expiry time of access token cannot be retrieved, time to call token refresh is unknown.

Access token should be stored in header, or at least able to read.

mccarreon commented 2 years ago

Cookies should be httponly for access and refresh tokens to protect from XSS attacks.

Per the API documentation, you can define the max_age for your cookies when you set them.