How to save JWT token inside HTTP only cookie?

Question

How to save JWT token inside HTTP only cookie?

I created an application that simply uses the JWT sent by the server after the correct credentials and logs in against any route /apion my Express.js server.

AngularJS, on the other hand, took this token, stored it in the session store, and used the auth interceptor every time to send the token back to the server.

I recently realized how dangerous this practice is.

In this scenario, I understand the method of transferring tokens back and forth. However, will someone be so kind to explain at a high level the method that takes place when you want to store this JWT inside a secure HTTP cookie that cannot be read by client-side Javascript?

For example: upon successful completion of work

cookie is created on the server,
create JWT at the same time as a cookie
store JWT in a cookie property called a token, etc.

I am trying to get a mental model here how it works. If my understanding is correct, the implementation of this method will no longer require the auth interceptor, since when the account is logged in correctly, the server will complete the entire transfer of the token inside the cookie.

+6

angularjs cookies express jwt passport.js

user6823414 01 Oct '16 at 19:38

source share

2 answers

, . , .

0

Sudheer Muhammed 22 '19 4:38

João Angelo · Accepted Answer · 2016-10-03T14:24:41+0000

cookie , cookie - , -, - , , cookie .

( , , )

, HTTP, , . , cookie , , /api.

, HTTP, . RFC 2617.

, JWT - , . , JWT , , JWT. . - JSON .

, , JWT - Base64url, . , , JWT HTTP, cookie.

, , cookie 4096 cookie ( , cookie). , , - . , JWT cookie, .

, cookie , , JWT, , .

, JWT localStorage/sessionStorage. , , , , Javascript , , . , HTTP . : Cookies vs Tokens: .

cookie (JWT), " "? , .

TL: DR:

- (XSS) (XSRF CSRF). ), - . (...)
, JWT ( ) . (...)
, JWT . , , JWT cookie , XSRF.

( )

How to save JWT token inside HTTP only cookie?

More articles: