Reputation: 13902
Why not store JWT in global variable?
I am trying to understand the security implications of storing jwt in local storage (prone to xss) vs cookie (prone to csrf). I would like to understand the security implications if I store the jwt token in my app state in the frontend, like in a redux store.
EDIT:
I have tried to find out more about storing tokens. It seems all the articles and answers actually start the discussion after establishing that there are 2 ways to do that, cookies or browser storage. Like this relevant question: Where to store JWT in browser? How to protect against CSRF? Like these posts: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage https://auth0.com/docs/security/store-tokens
I understand the point of most of these, but I am trying to explicitly discuss the option of global variable.
Upvotes: 8
Views: 3791
Answers (3)
Reputation: 23
If your website is vulnerable to a JS injection as Guerric P said, then the JWT would be affected.
But, what if... you combine PHP in order to random-gender JS variables and save the token there?
Something like:
krm480dmkm8w273mkmxw8283 = "xxxxxxxxx.xxxxxxxxx.xxxxxxxxxx"
wke9434mkdmkd3872kd294df = "xxxxxxxxx.xxxxxxxxx.xxxxxxxxxx"
eyru482nm91njm47mkdm99qq = "xxxxxxxxx.xxxxxxxxx.xxxxxxxxxx"
Well, on the one hand, you can't just get as easy the token, because instead of having always the same variable name, you have always a unique one, so you can't get it as easy.
On the other hand, maybe, a JS script that performs a search of variable content matching 3 dots would expose you, but... you make it harder for an attacker to expose your tokens.
I would like anyone to give more info if this method would be secure or not. Thanks.
Upvotes: 0
Reputation: 31825
If you store a JWT in a global variable, or any store available from the global context, it is exposed to all of the JS code on the same page. If you trust every other JS script of your page, and if you can guarantee that your page is not vulnerable to code injection attacks, then it's safe to store the JWT in a global variable.
If you can't guarantee that the JWT will be safe, don't use global variables, prefer using encapsulation like this:
(function() {
// Retrieve the JWT from somewhere
var jwt = "mockjwt";
//All of the code that needs the JWT goes here
console.log('Safe code:', jwt);
})();
// Evil code, either:
// - Injected through a vulnerability of your website (e.g: eval misuse,
// WYSIWYG editor vulnerable to script tag injection, etc...)
// - Injected because your user got fooled by some "copy/paste this code in the F12 tab
// of your browser, and you'll unlock a secret functionality"
// - Untrusted <script> tag that you added to your website
console.log('Evil code:', jwt); //Fails because the JWT is scoped to the anonymous
//function and is not accessible from anywhere outside
//the function.Upvotes: 6
Reputation: 4971
As per my understanding, storing JWT in browser local storage/cache is more about persisting token(user authorization) through browser sessions.
Upvotes: 2
Related Questions
- Is it safe to store JWT token in redux store?
- JWT retrieve for every request or save in redux (or equivalent) store
- Store Credentials in Redux store is a good practice?
- Get JWT token in redux
- Storing access tokens or keys in redux store
- Is Redux a secure place to store JWT tokens?
- Is using authReducer with auth token a good practice?
- Using global variables in Redux App
- JWT Redux React: why not State?
- Storing json web token