JWT vs cookies for token-based authentication

Question

I read some posts about \"JWT vs Cookie\" but they only made me more confused...

1. I want some clarification, when people ta

Answer 1

While cookies can increase the risk of CSRF attacks by virtue of them being sent automatically along with requests, they can decrease the risk of XSS attacks when the HttpOnly flag is set, because any script that is injected into the page won't be able to read the cookie.

CSRF: a user clicks on a link (or views images) on an attacker's site, which causes the browser to send a request to the victim's site. If the victim uses cookies, the browser will automatically include the cookie in the request, and if the GET request can cause any non-read-only actions, the victim site is vulnerable to the attack.

XSS: an attacker embeds a script in the victim site (the victim site is only vulnerable if inputs are not sanitized correctly), and the attacker's script can do anything JavaScript is allowed to do on the page. If you store JWT tokens in local storage, the attacker's script could read those tokens, and also send those tokens to a server they control. If you use cookies with the HttpOnly flag, the attacker's script won't be able to read your cookie to begin with. That said, the script they successfully injected will still be able to do anything JavaScript can do, so you're still hosed IMO (i.e., while they may not be able to read the cookie to send it off to their own server for use later, they can send requests to the victim site using XHR, which will include the cookie anyway).