JWT

[PatMiracle]

As of now the JSON web token is stored in the browser session storage along side the user data. This works perfectly fine but I want to store the token as a cookie, so as to use the /me endpoint to get the user details. I have worked on it, but yet to push due to some light issues, but I just wanted to state that the session storage is temporary.

[Jybium]

Why though?

[PatMiracle]

Why though?

Local storage and session storage are two ways to store data in the browser. They are both accessible to JavaScript, which means that they can be accessed by any script on the page. This makes them vulnerable to cross-site scripting (XSS) attacks.

If a JWT is stored in local storage or session storage, an attacker who can exploit an XSS vulnerability could steal the token and use it to impersonate the user. This could allow them to access the user's account or perform other unauthorized actions.

For this reason, it is not recommended to store JWTs in local storage or session storage. Instead, you should store them in a more secure location, such as an httpOnly cookie.

Here are some of the security risks of storing JWTs in local storage:

XSS attacks: As mentioned above, XSS attacks can be used to steal JWTs that are stored in local storage. Session hijacking: If an attacker can steal a user's JWT, they can use it to hijack the user's session. This means that they can access the user's account and perform actions on their behalf. CSRF attacks: CSRF attacks can be used to trick users into performing actions that they do not intend to perform. If a JWT is stored in local storage, an attacker could use a CSRF attack to force the user to perform actions that would allow them to access the user's account. To mitigate these risks, it is important to store JWTs in a secure location. A good option is to store them in an httpOnly cookie. HttpOnly cookies are not accessible to JavaScript, which makes them more secure against XSS attacks.

Here are some best practices for storing JWTs:

Store JWTs in an httpOnly cookie. This will make them inaccessible to JavaScript, which will protect them from XSS attacks. Use a secure hashing algorithm to generate JWTs. This will make it more difficult for attackers to forge JWTs. Invalidate JWTs after a certain period of time. This will help to prevent attackers from using expired JWTs to access user accounts. By following these best practices, you can help to protect your users' JWTs and keep their accounts secure.

[PatMiracle]

I got this response from bard, we should be concerned about security.