发表新帖
发表新帖

Do I have to store tokens in cookies or localstorage or session?

后端 未结
关注
4 724
醉酒成梦
醉酒成梦 2020-11-27 02:41

I am using React SPA, Express, Express-session, Passport, and JWT. I\'m confused about some of the different client-side storage options to store tokens: Cookies, Session, a

4条回答
  • 盖世英雄少女心
    盖世英雄少女心 (楼主)
    2020-11-27 03:19

    LocalStorage/SessionStorage is vulnerable to XXS attacks. Access Token can be read by JavaScript.

    Cookies, with httpOnly, secure and SameSite=strict flags, are more secure. Access Token and its payload can not be accessed by JavaScript.

    BUT, if there is an XSS vulnerability, the attacker would be able to send requests as the authenticated user anyway because the malicious script does not need to read the cookie value, cookies could be sent by the browser automatically.

    This statement is true but the risks are different.

    With cookies, the access token is still hidden, attackers could only carry out “onsite” attacks. The malicious scripts injected into the web app could be limited, or it might not be very easy to change/inject more scripts. Users or web apps might need to be targeted first by attackers. These conditions limit the scale of the attack.

    With localStorage, attackers can read the access token and carry out attacks remotely. They can even share the token with other attackers and cause more serious damage. If attackers manage to inject malicious scripts in CDNs, let’s say google fonts API, attackers would be able to siphon access token and URLs from all websites that use the comprised CDN, and easily find new targets. Websites that use localStorage are more easily to become targets.

    For the sake of arguments

    A pen-testing might flag your use of localStorage for sensitive data as a risk.

    If it was ok for JavaScript to read access token from localStorage from an XSS attack, why do you think the httpOnly flag is still recommended by everyone.

    Recommendation from OWASP

    Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.

    https://medium.com/@coolgk/localstorage-vs-cookie-for-jwt-access-token-war-in-short-943fb23239ca

    0 讨论(0)
 看不清?
提交回复
热议问题