Reputation: 285
JWT stored in cookie - security concerns
I'm building SPA app with server side rendering, using JWT-based authentication.
Current implementation is:
- JWT token is issued and transferred to client after successful username and password verification
- token is then stored in cookie (not
HttpOnly) - the purpose of that is to avoid the need to login again after full refresh or closing page - logging out deleted cookie with token
Authorizationheader is attached to every API request if token exists- full SSL traffic
I can't store token in LocalStorage because of server side rendering, also the there is no HttpOnly because I need to access cookie in order to construct Authorization header.
What are the possibilities of stealing the token in such architecture?
Upvotes: 1
Views: 1753
Answers (1)
Reputation: 15570
One major risk is that any single cross-site scripting vulnerability in your application could be used to steal the token from the cookie, because it's not httpOnly (while I understand why that is the case). XSS in a javascript-heavy application like an SPA is very common and hard to avoid.
Also you're saying the token is kept in the cookie so that after closing the browser, the user is still logged in. On the one hand, that's bad practice, a user closing the browser probably expects being logged out. On the other hand, this means the cookie is persisted to disk, so it is much easier for an attacker to steal it from the client.
Another thing that comes to mind is cross-site request forgery (CSRF), but if I understand correctly, authentication is actually based on the Authorize header, where the token is copied in each request. If that's the case, CSRF is not an issue for you (but it would be, if sending the token in the cookie was enough).
So at the very least, I think you should
not use a persisted cookie for the token
try to minimize the chance of XSS (eg. by automatically scanning your code, but that will never be 100%, also by carefully choosing secure by default technologies)
make sure auhentication is based on the
Authorizeheader and not the cookie
Still mainly because of the XSS risk, I would probably not recommend doing it this way in a security-critical application.
Upvotes: 1
Related Questions
- are CSRF attacks still possible when using a httpOnly+secure cookie with a token lifetime of 1 month?
- jwt authentication: cookie vs header
- Correct way to handle JWT tokens in cookies for authentication on the client-side
- A secure single site JWT implementation
- JWT - storing token in cookies
- Using JWT instead of Cookie on SSL enabled site
- Are JWTs stored in cookies safe?
- JWT tokens in sessionStorage vs cookies?
- Authentication with JWT
- Shall we store JWT as a cookie?