I'm using JSON Web Tokens (JWT) for the first time. I'm making a Node.js app using Hydra-Express framework. I want to use JWT for authentication. As per the docs, I'm returning the JSON token to the front-end.
var tokenData = {
username: req.body.username,
};
var result = {
username: req.body.username,
token: jwt.sign(tokenData, 'secret', { expiresIn: 60 * 60 })
};
res.json(result);
But I don't know how to save this JSON token to my browser header so that it doesn't get lost and is again sent to the back-end along with the header. How to save it in my browser storage and add it to the request header each time a request is sent to the backend?
I'm using JSON Web Tokens (JWT) for the first time. I'm making a Node.js app using Hydra-Express framework. I want to use JWT for authentication. As per the docs, I'm returning the JSON token to the front-end.
var tokenData = {
username: req.body.username,
};
var result = {
username: req.body.username,
token: jwt.sign(tokenData, 'secret', { expiresIn: 60 * 60 })
};
res.json(result);
But I don't know how to save this JSON token to my browser header so that it doesn't get lost and is again sent to the back-end along with the header. How to save it in my browser storage and add it to the request header each time a request is sent to the backend?
Share Improve this question edited May 21, 2017 at 12:34 Badacadabra 8,5357 gold badges31 silver badges54 bronze badges asked May 21, 2017 at 11:22 Aman DwivediAman Dwivedi 1741 silver badge10 bronze badges 1- You can use cookies, localStorage, even WebSQL if you want, any browser storage would do I guess. Still, I'd suggest you read this article: cryto/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions – Booster2ooo Commented May 21, 2017 at 11:26
4 Answers
Reset to default 5Security advice:
Trying to keep it short: cookies(http-only & secure flag) are vulnerable to CSRF but not XSS. JWT in localstorage is vulnerable to XSS but not CSRF
The best you can do is to minimize the risk: store the JWT in a cookie store a csrf_token in localstorage
To make it stateless: Include the csrf_token in the JWT payload and check serverside if the JWT csrf_token and the csrf_token read from localstorage and provided in the header match.
This requires an attacker to get the csrf_token through XSS (e.g. you use a promised 3rd party js library in your site or do not apply sanitation) And then he needs to trigger a csrf request with the csrf_token (e.g. embedded img src tag or form in a webpage /email)
This bination makes it a lot harder for an attacker (but not impossible).
It provides the same security level as a normal session based authentication with csrf_tokens, but does not require state.
When it es back store you entire token in sessionStorage
sessionStorage.token = json.access_token;
To access the payload split the jwt token into its header.payload.signature parts and grab just the payload
var enc = json.access_token.split(".")[1];
Then parse the base64
var payload = JSON.parse(window.atob(enc));
Then you can grab and use your verified payload data payload.sub, payload.role ...etc
Building on Chris's answer:
- JWTs should never be stored in your localStorage
- In fact, they shouldn't even be stored in your cookies, unless you are able to implement very strict CSRF protection
Checkout this for motivation
- JWT as an id_token is like your user credentials
- JWT as an access_token is like your session token
The most secure option is in-memory. Checkout this for a deep dive
You can use HTML5 web storage or cookie to store your JWT token and read from it whenever you want to send your request to web API.
This link will help you decide the best match for your app.
Hope it helps!!
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745311003a4621998.html
评论列表(0条)