Where and how save token JWT ? (Best Practice)

Question

I've read that save token JWT in localStorage is a bad practice. https://dev.to/rdegges/please-stop-using-local-storage-1i04 I'm working with ReactJs, and to other side have a API Rest with NodeJs. Where and how I should save token JWT ?, in a Cookie?

Gretting from Chile,

Answer 1

If the choice is between cookie and localStorage, both have their pros and cons when it comes to security. With all security attributes set correctly (HttpOnly, secure, SameSite=strict) it is true that a cookies could be more protected against certain attacks.

However, SameSite attributes may not work for everyone, and may not protect all functions against CSRF (Cross Site Request Forgery) attacks.

HttpOnly will protect the value from being accessed from JavaScript which is good if the application suffers (XSS) Cross Site Scripting vulnerabilities. However, any moderately qualified attacker could easily achieve what they wanted without accessing the actual value of the token anyway.

The thing to remember when storing tokens in localStorage is that it is not cleared when the browser is closed, meaning that a user will not become logged out by closing the browser - which many have come to expect. If that is a problem, you may want to consider storing the JWT in the sessionStorage instead.

Answer 2

localStorage seems fine because many people are using localStorage.

If you want extra security feature You can make your token lifespan short eg {30 min, 60 min}

Also You can check your user active state whether or not The user will Logout automatically