How to Store JWT for Authentication

preview_player
Показать описание
Learn how you can store your JWT in memory instead of localStorage or a cookie for authentication. This method limits your exposure to CSRF and XSS attacks.

#jwt

Links from video:


----
#benawad
  1. Ben Awad
  2. jwt
  3. authentication
  4. Store JWT
  5. jwt authentication
Рекомендации по теме
JWT: Where to 0:03:12

JWT: Where to store JWT in the browser frontend?

How to Store 0:08:28

How to Store JWT for Authentication

Secure JWT Authentication 0:12:53

Secure JWT Authentication - Where to store the JWT Token. How to store JWT token in httpOnly cookies

How to store 0:02:34

How to store JWT tokens - LocalStorage or Cookies

Session vs Token 0:02:18

Session vs Token Authentication in 100 Seconds

Does Storing JWT's 0:05:34

Does Storing JWT's In HTTP Only Cookies Stop XSS Attacks

React Authentication: How 0:05:19

React Authentication: How to Store JWT in a Cookie | React JS Tutorial

Tensei: The Ultimate 0:18:22

Tensei: The Ultimate guide to JWT client side authentication (Stop Using Local Storage !!!)

🔒 How to 0:54:49

🔒 How to Secure Your Microservices with JWT Authentication & Ocelot API Gateway? 🤔🔑 Find Out Now...

Where to store 0:04:44

Where to store JWT tokens and Session Ids on React Native

Why LocalStorage is 0:14:21

Why LocalStorage is Vulnerable to XSS (and cookies are too)

How to Store 0:05:17

How to Store JWT tokens in Cookies with React and GraphQL

Don’t Use JWT 0:01:00

Don’t Use JWT for Login Sessions

Why is JWT 0:05:14

Why is JWT popular?

React Persistent User 0:37:27

React Persistent User Login Authentication with JWT Tokens

Why I haven't 0:07:14

Why I haven't been using JWT tokens for Authentication

best way of 0:00:10

best way of storing JWT token

Learn JWT in 0:10:20

Learn JWT in 10 Minutes with Express, Node, and Cookie Parser

Storing JWT tokens 0:06:54

Storing JWT tokens localStorage vs. Cookies

What Is JWT 0:14:53

What Is JWT and Why Should You Use JWT

Using HttpOnly cookies 0:36:14

Using HttpOnly cookies in React & Node | Storing JWT Tokens or SessionID Securely

#28: How to 0:22:50

#28: How to Store JWT Token in Local Storage using Context API for Authentication in MERN STACK

Stop using JSON 0:23:33

Stop using JSON Web Tokens. Use Cookies & Server Sessions instead

Difference between cookies, 0:11:53

Difference between cookies, session and tokens

Комментарии
Автор

Sending the refresh token with each API call is completely at odds with the aim of the access/refresh token paradigm where the short lived access token goes out with API requests, and the refresh token is only used to request new access tokens.


The fix is simple; scope the cookie to only the path for requesting a new access token. This keeps all the benefits described of access token in memory, refresh token in cookie, and avoids having the refresh token "hanging around" where it shouldn't be (e.g. API requests that may dump the request to logs, leaking the long lived refresh tokens)

tehbeard
Автор

Well done Ben looking forward for video on this concept..

sathishshaj
Автор

Great stuff! Looking forward to the implementation video.

MrScX
Автор

Thank you for introducing another usuful concept for authentication. I'll look forward to your actual implementation.

fhxopcd
Автор

Many thanks for your informative and humorous videos, Ben, but what exactly is the difference to session cookies with a csrf token? The refresh token reminds me of the session id cookie and the JWT would be the csrf token.

crnholio
Автор

I have a question regarding the refresh token, as you mentioned when the attacker got the refresh token in the cookie, the attacker can't get access token then the malicious attack won't happen. But when an authenticated user refreshed the page, the access token is gone as well, right? how can this authenticated user get the access token after refreshing the page? (I believe the user needs to login again after refresh the page?)

PinkChineseChives
Автор

I also found this article interesting. Another thing that this kind of approach only authenticates client side. I show a few websites which generally keep access token in cookies and use a csrf token and that's why if we open 'view source', it also gives you authenticated user details whereas in this article's case, it gets user details client side and looks more secure.

dhavall
Автор

your recipe app is frikin good ben. how long did it take you to make? do you have a lot of traction on it?

Mrstealurgrill
Автор

Great video thanks. Quick question with your solution… would it not be the same storing the refresh token in web storage?

kvinshum
Автор

Access to cookies from JavaScript can be blocked easily so actualy XSS is not an issue. If you blocked, browsers will manage cookies in request and responses. Atacker may can stole cookies in file system using a malware anyway but i think it is not a big case. You don't need to store token in memory, this is just increase the complexibility.

rdvanaltun
Автор

the question is how to receive the two tokens from local storage and cookie at the same time with one http request?

fxstreamer
Автор

storing info in js doest protect it from XSS or even CTFS. you need policies like SameSite Cookie Attribute.

holthuizenoemoet
Автор

how can you store the cookie as an http only in case your frontend and backend are server from different domains ?

oussamasethoum
Автор

Hi Ben, If your site is vulnerable to XSS then an attacker can still easily get your access token from global memory. So is this the right method. I am still confused. More over if you are storing refresh token in http only cookie without a csrf token, you are still vulnerable to csrf attacks as csrf attacks works with http only cookie. Eg session cookies.

GeordyJames
Автор

Should I use different keys for signing the refresh_token compared to the access_token??

axedyson
Автор

Why backend doesn't refresh an access token automatically if the user is valid and has a valid refresh token in headers? (which can be done e.g. via middleware)

rstart
Автор

Storing in memory would still be vulnerable to XSS, however, an attacker would have to reverse engineer your application to find where you store it in memory.

TheQuinn
Автор

Hey, I'm having trouble understanding how this prtects against XSS. I get why it protects against CSRF. But isn't the access token, althought short lived, still expoable to XSS?

NexusGamingRadical
Автор

looking forward for the implementation video

md.akib
Автор

I am a noob so I do not really know much about this kinda stuff, but I am very curious how do we know when to send the access token back? You said that the refresh token absolutely does nothing. However, when the user refreshes the page, then the user will send us the refresh token to get the access token? So, both cases, we receive just the refresh token and how do we know when to send the access token back?

Giigigi