Reputation: 623
HTTP only for JWT?
Should my JWT be HTTPOnly? I currently create them like this:
const token = jwt.sign(user, config.secret, {
expiresIn: 604800 // 1 week
});
new Cookies(req,res).set('access_token',token,{
httpOnly: false,
secure: false // for your production environment
});
And get them like this using universal-cookie:
const cookies = new Cookies();
var token = cookies.get('access_token');
Is this secure? If not or there is another reason not to do it this way how should I do it? If the JWT cookie is http only then the get request comes back as undefined.
Thanks, Ed.
Upvotes: 1
Views: 1662
Answers (1)
Reputation: 1376
The JWT specification says that:
JSON Web Token (JWT) is a compact claims representation format intended for space constrained environments such as HTTP Authorization headers and URI query parameters.
So it states that it is intended for HTTP Authorization headers and URI query parameters. You can use it as a cookie as the specification doesn't prohibit it. I can imaging use cases where it's reasonable to use JWT token as a cookie and specifically as HttpOnly. Now the question about making it HttpOnly depends on the following:
- Do you need to access it from the client code (JavaScript)?
- Is there any impact of compromising the token to a potential attacker?
If you don't need to access it from the client code or there is an impact of disclosing the token then make it HttpOnly.
Upvotes: 2
Related Questions
- How to get HTTP-only cookie in React?
- How to manage and send httpOnly stored jwt cookies within React and Axios
- How to do JWT authentication with react?
- How can we store JWT token in Http only cookies?
- Secure JWT token handling in React
- HttpOnly Cookie based authentication
- authentication log in form with jwt and react
- Handle JWT Authentication with React
- Handling JWT authentication in React app
- Save a JWT as a cookie