How to Use HttpOnly Cookie to Secure JSON Web Tokens (JWT) in ASP.NET Core Web API

preview_player
Показать описание

In this video, I will show you how to secure our JWTs or JSON Web Tokens, when implementing the authentication and refresh token actions in our .NET Core applications. An HttpOnly Cookie is a tag added to a browser cookie that prevents client-side scripts from accessing data. It provides a gate that prevents the specialized cookie from being accessed by anything other than the server. Using the HttpOnly tag when generating a cookie helps mitigate the risk of client-side scripts accessing the protected cookie, thus making these cookies more secure.

LINKS MENTIONED IN THE VIDEO

FOLLOW US ON SOCIAL MEDIA!
  1. Code Maze
  2. JWT
  3. Cookie
  4. Security
  5. Authentication
  6. Refresh Token
Рекомендации по теме
Cookies: Part 1 0:03:20

Cookies: Part 1 - How HTTPOnly Works

Does Storing JWT's 0:05:34

Does Storing JWT's In HTTP Only Cookies Stop XSS Attacks

How Hackers Hijack 0:09:01

How Hackers Hijack Your Cookies? Use HttpOnly!

Using HttpOnly cookies 0:36:14

Using HttpOnly cookies in React & Node | Storing JWT Tokens or SessionID Securely

HttpOnly Flag In 0:06:46

HttpOnly Flag In Cookies | Use Of HttpOnly | HttpOnly Against Stealing Cookies | Why HttpOnly

How to Use 0:12:17

How to Use HttpOnly Cookie to Secure JSON Web Tokens (JWT) in ASP.NET Core Web API

How to make 0:00:50

How to make Http Only Cookies Secure - Secure Http only Cookies

Secure JWT Authentication 0:12:53

Secure JWT Authentication - Where to store the JWT Token. How to store JWT token in httpOnly cookies

Custom Auth with 1:49:09

Custom Auth with Blazor - .Net 8 without Asp.net Core Identity Step by Step Tutorial by Abhay Prince

HTTP Cookies Crash 1:09:21

HTTP Cookies Crash Course

React Authentication: How 0:05:19

React Authentication: How to Store JWT in a Cookie | React JS Tutorial

Difference between cookies, 0:11:53

Difference between cookies, session and tokens

Why HttpOnly Cookies 0:15:03

Why HttpOnly Cookies Are SAFER Than Local Storage! | Using HttpOnly Cookie With JWT .Net 6 API

How to create 0:03:05

How to create HTTP Only Cookie

Stop using JSON 0:23:33

Stop using JSON Web Tokens. Use Cookies & Server Sessions instead

How to use 0:06:52

How to use httpOnly secure cookies in Ruby on Rails with devise-jwt

Learn JWT in 0:10:20

Learn JWT in 10 Minutes with Express, Node, and Cookie Parser

Next.js 13 jwt 0:25:30

Next.js 13 jwt authentication protected routes httpOnly cookie with App Directory

What cookies are 0:05:55

What cookies are and how they work!

How to fix 0:03:02

How to fix - Cookie Found Without httponly Set - vulnerability

PHP Security: HttpOnly 0:03:52

PHP Security: HttpOnly Cookies

HttpOnly Cookie in 0:00:41

HttpOnly Cookie in FastAPI Demo with Code

How to set 0:05:45

How to set and get (parse) httpOnly and signed Cookies in ExpressJS

Exploit Cross-Site Scripting(XSS) 0:05:08

Exploit Cross-Site Scripting(XSS) To Capture Cookies

Комментарии
Автор

Thank you all for watching and for your support.

CodeMaze
Автор

That's exactly what I needed. Thanks a lot for this video!

ckxthlk
Автор

Thank you as usual for this content.
..How do you access the content say the nameidentity claim of the jwt token on a client web app, and the refresh token if jwt expires say an angular app?
.. I'm guessing you can use the withCredentials set to true along with a request

Thank you

ugochukwuumerie
Автор

Thank you for the info.When client logout then weneed to just remove tokens from the cookies?

crashtagiyevpirt
Автор

Thanks for code maze
This can helpful for me to store access token and refresh token in cookies. I have one issue it is
Access token is active in 5min
Refresh token is active 7days

If access token has expired and refresh token is active. How to make automatic Refreshing access token

mindsetark
Автор

Thanks for the video, but I have a little remark. You say in the beginning of your video that if you encrypt your token it is of no use for an attacker. That is however not completely correct as I understand it. It is true that an attacker can't read what's inside the token (like userId, e-mail, role, ...), but an attacker can still use the token to impersonate a real user.

jonny.rubber
Автор

Great video, just one question:
Why are we even using the refresh endpoint? Couldn't we just check if the token is valid, and if not refresh it automatically, set the Set-Cookie headers and access the protected route?

vitusschaber
Автор

I noticed that once you refresh the page after login, the cookie disappears, it doesn't persist, how do i persist the cookies for future request, am i missing something? Thanks

ugochukwuumerie
Автор

when cookies expire delete from cookies and if try to get value get error
what can i do ?

shabanelmogy
Автор

Hello, thanks for the video! Since I am not saving anything to my localStorage. How can I check if my user is logged in after refreshing the page?
One solution was to go to the login page every time, make a request to see if the token is still valid? Is there any easier way?

GustavoAlves-nghs
Автор

Amazing video as usual. Is this technique new for .net 8 or is it something that already existed? From what you can see, it is no longer necessary to attach the token to the requests? Is that what you do with the cookie? If I later wanted to connect to the api through blazor for example, would I only need to log in and start consuming endpoints directly?

andresbeltran