19

I already worked with JWT on mobile app but I will implement it on a website for the first time for the authentication and I have a little thing I still didn't understood :

  • if I use JWT token with localStorage, XSS attacks are possible
  • if I use JWT token with cookies, CRSF attacks are possible

..., but if I use JWT token over HTTPS with httpOnly+secure cookies and a token lifetime of 1 month, are CSRF attacks still possible in this case ?

I see all over the web for custom token with cookie or custom token with localStorage or JWT but I didn't explicitly get the answer of httpOnly+secure cookie + JWT + HTTPS + the need of CSRF.

Improve this question

2 Answers 2

Reset to default
26

If you are using JWT as an authentication token, it should be stored as a cookie marked httpOnly and secure, as apposed to using Local/Session Storage. As you mention, this protects against XSS attacks, where we are concerned about malicious JavaScript being injected into our page and stealing our session token.

  • A cookie marked httpOnly cannot be read by JavaScript, so it cannot be stolen in an XSS attack.
  • Local/Session Storage, however, can be read by JavaScript, so putting the session token there would make it vulnerable to an XSS attack.

However, making the session token cookie httpOnly and secure still leaves you vulnerable to CSRF attacks. To see why, remember that cookies are marked with the domain from which they originated, and the browser only sends cookies that match the domain to which the request is being sent (independent of the domain of the page the request was sent from). For example, suppose I'm signed into stackoverflow.com in one tab, and in another tab go to evil.com. If evil.com makes an ajax call to stackoverflow.com/delete-my-account, my stackoverflow authentication token cookie will be sent to the stackoverflow server. Unless that endpoint is protecting against CSRF, my account will be deleted.

There are techniques for preventing CSRF attacks. I would recommend reading this OWASP page on CSRF attacks and preventions.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hi, many thanks for your answer. I will then implement a CSRF prevention after reading the article you shared.
Hello! Please have a look at this question: stackoverflow.com/questions/49597702/… I am currently implementing a RESTful API + SPA, and have been wondering about the same. Came up with this approach. Maybe share your views?
2

As long as you set the cookie attribute "SameSite" to "Strict", you should be fine. Any request made from a different domain, will not be accepted by the server.

If I'm wrong, tell me how.

Improve this answer

1 Comment

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.