12

What is the most secure way to store transfer and store a JWT token, or any authentication token in general?

Someone told me it's secure to send the authentication token as a cookie, but I don't understand how this would provide any additional security over just using a plain session ID cookie for authentication, as the browser would include that cookie for all outgoing requests anyway. Have I misunderstood something?

What makes a lot more sense to me, is if the token would be stored in a response header or body, then extracted in the client side programmatically and manually added to each request. There would be no way to intercept the token over HTTPS connection and CSRF attacks are rendered impossible (I would use CSRF token anyway). Of course the authentication token could still be accessed by XSS attack, but isn't the cookie also prone to this attack?

I don't understand how token in a cookie provides ANY additional security over authentication based on simple session ID cookie? Am I missing some information?

Anders
  • 64,406
  • 24
  • 178
  • 215
Tuomas Toivonen
  • 371
  • 1
  • 2
  • 10

2 Answers2

9

By putting the token in the cookie and setting that cookie HttpOnly, you can prevent access to the cookie by malicious client side script (ie, XSS) - there is no access to an HttpOnly cookie from JavaScript, the browser will protect it and handle sending the cookie only to the right origin.

https://www.owasp.org/index.php/HttpOnly

crovers
  • 6,311
  • 1
  • 19
  • 29
  • 2
    That will make CSRF attack a possibility, and it doesn't really matter that much in case of XSS either, since you can still make requests with the cookies. – FINDarkside Jun 14 '18 at 12:20
1

Ok, let's start by understanding what's JWT (quoted from their website):

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

JWT.IO allows you to decode, verify and generate JWT.

The goal of JWT isn't to hide data, but to prove your identity to the server. Anyone can decode the token, but they can't create fake tokens because that requires the secret key. The server will throw an exception when attempting to decode a fake token, since no one knows your private key (I hope!).

Usually, the token is sent in the Authorization header, which looks something like this:

Authorization: Bearer <the token>

And then you have many libraries which will parse the header and extract the needed information for you, depending on your language.

Tom
  • 880
  • 1
  • 7
  • 14
  • Actually the tokens are generated by the server, when a login request is received from the client. Then the server sends the token together with the response to the login request. Therefore, the client *does* need to store it, in order to add it to subsequent requests. – Ioanna Apr 08 '19 at 03:04
  • 2
    Well obviously... Otherwise how will it be sent in the authorization header? – Tom Apr 08 '19 at 16:50
  • @Tom lol ....... – ADP Dec 22 '20 at 04:03