All geek questions in one place

Save JWT token in cookie

This is my setup:

  • 1 authentication server that issues a JWT token on successful authentication.
  • Several API resource servers that provide information (when a user authenticates).

Now I want to create my own ASP.NET MVC frontend. Is it possible to take the token that I receive after authentication and put it in a cookie so that I can access it with any secure call that I need to make? I am using the RestSharp DLL to make my HTTP calls. If it has a security flaw, then where should I store the token?

I would use this code for a cookie:

System.Web.HttpContext.Current.Response.Cookies.Add(new System.Web.HttpCookie("Token") { Value = token.access_token, HttpOnly = true });
+6
source share
2 answers

You are on the right track! The cookie should always have the HttpOnly flag, setting this flag will prevent access to the JavaScript environment (in a web browser) to the cookie. This is the best way to prevent XSS attacks in the browser.

You should also use the Secure flag in production to ensure that cookies are only sent via HTTPS.

You also need to prevent CSRF attacks. This is usually done by setting the value in a different cookie, which should be provided for each request.

I work at Stormpath and wrote a lot of information about front-end security. These two messages can be helpful in understanding all aspects:

Single Page Token Authentication (SPA)

https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/

+8
source

Do you create your own JWT?

If so, you should consider using an asymmetric encryption based signature algorithm, such as “RS256” or “RS512,” so you can verify claims in your client application without sharing a secret secret.

Do you really need to pass the JWT into a cookie?

It might be safer to just put a random identifier in your cookie that references the JWT access token and do the magic of deleting links on the server that serves your web application.

0
source

Source: https://habr.com/ru/post/989916/

More articles:


All Articles