JWT with cookie - Githubissues

dwyl / learn-json-web-tokens

:closed_lock_with_key: Learn how to use JSON Web Token (JWT) to secure your next Web App! (Tutorial/Example with Tests!!)

MIT License

4.18k stars 254 forks source link

JWT with cookie #81

Open u-can-miracle opened 6 years ago

u-can-miracle commented 6 years ago

Hi. I send jwt by cookies with enabled httpOnly flag so user can't set them from browser. As I saw before you recomend use localStorage for this case. but some one can stole jwt from localStorage In my case I have ease access to jwt from server and any access from browser as I see it's more secure. So, why you recommend to use localStorage?

Teebo commented 6 years ago

The only advantage of using a cookie is the one you've mentioned, because I am using localStorage I make sure that the jwt expires in a short period and I do not put sensitive data with the jwt

jschr commented 6 years ago

Another advantage to storing the JWT in a cookie is if you need server-side rendering with an auth context.