0

I was reading this question and still have doubts about my use case.

I know it's unsafe to store a JWT in local/session storage due to XSS attacks. But what if it's for a JWT that only lasts 1 min when they first login? The client would then use this to get a longer + safer JWT to stay logged in from then on.

I'm using a third party identity provider to handle the initial login. The reason I have to do this is because their API that returns the JWT doesn't support httpOnly (for whatever reason). I still have to store the JWT temporarily somewhere before I get a new one in an httpOnly cookie from the server. Or should I store it in state (I'm using React)?

Is this approach safe? My reasoning is that even if they do get the JWT, it would only last 1 minute before it expires.

Overview

  1. User enters credentials on login page. Identity provider returns a 1 min long JWT to the client.
  2. Client stores JWT in local storage.
  3. Client calls GET /getJWT with the JWT in step 2 in the payload.
  4. Server validates the JWT. It issues a new JWT that lasts 15 min. Server sends a response with the JWT in an httpOnly cookie.
tbd_
  • 101
  • 1
  • 1
    It doesn't seem like you need to involve localStorage for this at all. Putting the JWT in a local variable and then doing the next request seems like enough. – Macil Aug 06 '20 at 02:35
  • @Macil Oh, interesting. Would you mind expanding why a variable is better in this case? Thanks! – tbd_ Aug 06 '20 at 03:24
  • Safe from what? It is only a question of whether or not a particular mitigation sufficiently protects a given risk against a particular threat. There is no such thing as "safe". – Conor Mancone Aug 28 '20 at 17:28

1 Answers1

-1

In this case. I would use a cache mecanism only for JWT tokens generated via backend. I would not recommend using session storage or local storage in any way. You may trigger a JWT token rotation for every two minutes or so. But be aware that this may slow down your application as it gets bigger by time.

In the last case where there is nothing to be done. I would recommend using server cross site-scripting header on the server to prevent XSS attacks and use the hidden html tag to store JWT Tokens and send it every request probably via an AJAX call if you work with it.

Sherlocker
  • 113
  • 1
  • 7
  • Why wouldn't you recommend using session storage? What is a "server cross site-scripting header"? Why do you think that storing the JWT in a hidden HTML tag given any better protection against XSS than local storage? – Conor Mancone Aug 28 '20 at 17:26