Hugo Sum
Reputation: 243
Should I store JWT tokens in IndexedDB?
After reading some articles, I realize that using localStorage and sessionStorage is a bad idea for storing JWT tokens, and cookies with httpOnly should be used instead.
As I read more and learn some about indexedDB today, I wonder if indexedDB is a secure option for storing JWT tokens as well?
Upvotes: 14
Views: 2933
Answers (1)
Pankaj Tanwar
Reputation: 1060
The short answer is NO, as you are pretty much convinced using localStorage and sessionStorage is a bad idea. IndexedDB is also vulnerable to cross-site scripting (XSS) attacks similar to local storage.
Regardless of security -
- IndexedDB API is powerful but may seem too complicated (I'd go so far as to say 'horrific') for simple use cases such as storing jwt token. Because, even for this implementation, you will have to write more code. (More code, which means maybe more bugs). Just be aware of the steep learning curve when you're getting started with it.
- IndexDB is not actually designed for such use cases. It is designed to work with significantly larger amounts of structured data. For basic key-value operations, IndexedDB performance takes a hit.
- Browser support for IndexedDB isn't also quite good.
Upvotes: 5
Related Questions
- JWT vs cookies for token-based authentication
- Should I store JWT tokens in redis?
- What to store in a JWT?
- Is it a good practice to store JWT Tokens in memory
- What JWT Tokens should be stored for use later?
- Should I put user info in JWT token or, just the user's ID and then select the info from the DB?
- JWT - storing token in cookies
- Shall we store JWT as a cookie?
- should I store jwt token in user table or in separate table?
- To store jwt token undecoded server-side or not?