Reputation: 2094
Cookies and Jwt and when to use them
I am new to jwt and after going through some articles I came to an understanding that we can store our jwt in a cookie and the session can still be stateless.Is that right ?, Also as regard to csrf attacks because when using cookies we can be prone to csrf attacks we have anti-forgery to solve the issue of csrf. Now my main question- Im not sure if this is correct but ,are there some particular disadvantages to using cookies to store jwt when you are implementing CrossOrigin for your controllers , that is a scene where my server app is located in a different place and we are calling the api from it in our client app which is located say in another city ? Isnt that why many webservice providers refrain from using cookies?
Upvotes: 0
Views: 88
Answers (1)
Reputation: 130
- Yes, you can store JWT (that is actually a JWS) in a cookie and still have your session stateless.
- Yes, there can be a significant rate of danger in using cookies for jwt as regards of CSRF, but it can be mitigated to a minimum by the server controlling the Referrer and Origin header and also by limitation of the Http Cookie lifetime.
I hope it helps.
Upvotes: 2
Related Questions
- JWT vs cookies for token-based authentication
- What to store in a JWT?
- on cookies, JWT and web application
- Practical Use of JWT and cookies for Authentication
- What is the correct way to use JWT?
- JWT and Session: how JWT should be properly used instead of Session
- Are JWTs stored in cookies safe?
- Shall we store JWT as a cookie?
- How are cookies different from JWT and why are they considered worse than JWT?
- Java Web App Security using Cookies