Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Research: Store token in httpOnly Cookie #344

Open
cstenglein opened this issue Jun 8, 2022 · 2 comments
Open

Research: Store token in httpOnly Cookie #344

cstenglein opened this issue Jun 8, 2022 · 2 comments
Labels
App:Other Issues not directly related to the App (e.g. folder organization) prio:medium Medium Priority

Comments

@cstenglein
Copy link
Collaborator

cstenglein commented Jun 8, 2022
edited
Loading

Store the JWT Token in a httpOnly Cookie and don't save it in session / local storage.

Also needs the API to support this.
@cstenglein cstenglein added prio:medium Medium Priority needs more info For issues that are not properly refined and need more information labels Jun 8, 2022
@cstenglein cstenglein mentioned this issue Jun 8, 2022
Merged
@escapedcat
Copy link
Collaborator

Bit more background to this

https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/#jwt_security

> That’s why it’s also really important not to store JWT on the client, say via cookies or localstorage. Doing so you make your app vulnerable to CSRF & XSS attacks, by malicious forms or scripts to use or steal your token lying around in cookies or localstorage.

and

What about saving it in a cookie?

Creating cookies on the client to save the JWT will also be prone to XSS. If it can be read on the client from Javascript outside of your app - it can be stolen. You might think an HttpOnly cookie (created by the server instead of the client) will help, but cookies are vulnerable to CSRF attacks.

@cstenglein
Copy link
Collaborator Author

Part of it is done. Currently, the token now comes via cookie (for SSE) & for normal requests still from the local storage.

Needs more work for the normal requests, but a small part is done.

Also needed: expiry time as response from login / refresh-token so the UI can calculate the refresh time.

@cstenglein cstenglein added App:Other Issues not directly related to the App (e.g. folder organization) and removed needs more info For issues that are not properly refined and need more information labels Jun 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
App:Other Issues not directly related to the App (e.g. folder organization) prio:medium Medium Priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@escapedcat @cstenglein