Reputation: 1213
Where to store the refresh token safely
Where should i save refresh token, I save it in my DB but when I send expired JWT so when i try to valid I cant get the payload I save there. Is this safe to decode with atob the JWT so I get the payload and get the username and find in the db the save refresh token. Because if i save in local storage this is unsafe cause us save there a long live token instead only the JWT(the short live one)
I try to save it cookies but CSRF attack also a problem even if i add the httponly and the secure one Please correct me if i wrong
EDIT: I also wanted to ask how i do silent log in, Is this like i do setInterval for 14m so i get the new token even if the user don't do nothing?
Upvotes: 2
Views: 123
Answers (1)
Reputation: 442
You can choose between memory or cookie. If you can use cookies, then best choice is cookie! CSRF attack dont be success, if you store it in cookies, another site don't have access to another site cookies. And you have access from XSRF attacks too, becose you neve send refrash token to resource server, it's only for auth server.
Upvotes: 2
Related Questions
- Where to store access-token in react.js?
- Where should I save jwt refresh token?
- Where to store JWT token in react / client side in secure way?
- How can I store and secure my JWT token in react application
- JWT refresh token strategy
- Need help in understanding refresh tokens, where and how to store them as well as what to store in them
- Storing Oauth access token and refresh tokens
- Access refresh token in react js application
- How to handle refresh token on react spa?
- Where to store authorization (or JWT) tokens on the web browser based clients?