Reputation: 43
Is secure create cookies with a token inside on the client?
i´m using nextjs, graphql and JWT on my app and I can´t find a good logic to send the cookie with the token inside from the server, so I found another logic based on create the cookie on the client when the server send me the token.
Is it insecure? Is a bad practice or there is any difference between creating cookies on the server or on the cliente? I´m using HTTP cookies.
this is my code on the client where I create the cookie:
const handleSubmit = async (e)=>{
e.preventDefault();
createUser({variables: {nombre, apellidos, email, password}}).then(res=>{
console.log(res.data.register)
cookies.set("token", res.data.register,{sameSite:'strict', expires: new Date(new Date().getTime() + 5 * 140000000), httpOnly: true})
})
In res.data.register is the token(JWT) created by server.
Upvotes: 3
Views: 921
Answers (1)
Reputation: 12322
Yes, this is insecure.
You can't create an HTTP-only cookie on the client-side. HTTP-only means that no script is able to access the cookie, but you're already creating that cookie with a script. In fact, the browser won't let you set the HTTP-only flag on a cookie set from a script.
Your server should be sending a Set-Cookie header in the response, and this is where the cookie should be set, together with HTTP-only and sameSite parameters.
Upvotes: 1
Related Questions
- How can we store JWT token in Http only cookies?
- Secure JWT token handling in React
- How to Secure tokens when storing on the Client side?
- Is Safe JWT Store in Req. Session?
- Is it a good idea to sign a cookie that contains a JWT?
- Is it really safe to authenticate JWT token from React frontend?
- Can we use JWT for Session management?
- GraphQL issuing JWT/Cookie
- JWT - storing token in cookies
- Save a JWT as a cookie