Storing JWT refresh token in httpOnly cookie
So, I'm building the auth part of an application. I have always return both
access and refresh tokens on the payload. And them have them stored separately on the client.
Now, after doing a little research, I have found that some people return just the access token on the payload, and have the refresh token set as an httpOnly cookie.
What is the opinion on this? Good practice? Bad practice? Unnecessary / anti pattern? Thanks in advance!13 Replies
Set both as http only cookie, do not expose them to the FE at all
If you can you can also look to outsource auth altogether. Services like clerk, supabase and many others are amazing when it comes to it.
Or just set access as httpOnly and do not expose refresh to client. It's enough to store it on server side if you are using NextAuth or similar library
JWT's are terrible for 99% of web applications.
httpOnly cookies prevent XSS but the lack of an anti CSRF measure means you're vulnerable to CSRF, can't be solved with standard JWT implementation
Storing a refresh token as an http-only cookie and an access token in a javascript variable is a great auth strategy and it prevents both XSS and CSRF attcks
even if the access token is short lived?
Yeah but still need something that's not sent along automatically by the browser, aka. anti csrf token
do you know any blog posts or videos about that? I have only ever used JWT and am kinda new to back-end, would love to learn more about that
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
Authentication - OWASP Cheat Sheet Series
Website with the collection of all the cheat sheets of the project.
Session Management - OWASP Cheat Sheet Series
Website with the collection of all the cheat sheets of the project.
And I would never outsource authentication
Personally, I want to own the whole process, outsourcing doesn't make sense other than OAuth.
There's a truth to not needing to reinvent the wheel, and there's libraries for auth to use, but I'd still like to own the fucking wheel. Not hand it over and pay a premium.
I think this video describes the authentication strategy you are talking about, with JWTs and refresh/access tokens - https://youtu.be/iD49_NIQ-R4
Ben Awad
YouTube
How to Store JWT for Authentication
Learn how you can store your JWT in memory instead of localStorage or a cookie for authentication. This method limits your exposure to CSRF and XSS attacks.
#jwt
Links from video:
https://blog.hasura.io/best-practices-of-using-jwt-with-graphql/
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
https://www.owasp.org/index.php/Cross-Sit...
Just stay away from JWT's is my advice.
Also the advice from OWASP
If you use TypeScript for the backend, I would just use something like Lucia Auth, instead of doing everything from scratch.
Either that (lucia-auth) or Oslo
also by pilcrown, auth utils
https://github.com/pilcrowOnPaper/oslo