Store JWT token in cookie

Question

This is my setup:

1 authentication server which gives out JWT token on successfull authentication.
Multiple API resource servers which gives information (when the user is authenticated).

Now I want to build my ASP.NET MVC frontend. Is it ok to take the token, which I receive after authentication, and put it in a cookie so I can access it with every secured call I need to make? I use the RestSharp DLL for doing my http calls. If it has a security flaw, then where should I store my token?

I would use this code for the cookie:

            System.Web.HttpContext.Current.Response.Cookies.Add(new System.Web.HttpCookie("Token")
        {
            Value = token.access_token,
            HttpOnly = true
        });

[Answer](http://stackoverflow.com/a/40376819/204699) to related question on where to store token in browser apps may contain useful additional information. — João Angelo, Nov 02 '16 at 16:11

score 18 · Accepted Answer · edited Jul 25 '16 at 14:19

18

You’re on the right path! The cookie should always have the HttpOnly flag, setting this flag will prevent the JavaScript environment (in the web browser) from accessing the cookie. This is the best way to prevent XSS attacks in the browser.

You should also use the Secure flag in production, to ensure that the cookie is only sent over HTTPS.

You also need to prevent CSRF attacks. This is typically done by setting a value in another cookie, which must be supplied on every request.

I work at Stormpath and we’ve written a lot of information about front-end security. These two posts may be useful for understanding all the facets:

Token Based Authentication for Single Page Apps (SPAs)

https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/

edited Jul 25 '16 at 14:19

Drunix

3,313
8
28
50

answered Jun 29 '15 at 21:09

robertjd

4,723
1
25
29

2

Thanks for info. Any plan to write something about .NET Identity 2.0 Integration? – andrea.spot. Jul 31 '15 at 09:52
@andrea: It's a late follow-up, but I just wrote an article about ASP.NET + Stormpath: https://stormpath.com/blog/10-minute-asp-net-user-authentication – Nate Barbettini Jun 06 '16 at 15:51

score 1 · Answer 2 · answered Sep 28 '16 at 20:26

1

Are you generating your own JWTs?

If yes, you should consider using a signing algorithm based on asymetric encryption, like "RS256" or "RS512" -- this way you can verify the claims in your client application without sharing the private secret.

Do you really need to pass the JWT into the Cookie?

It might be safer to just put a random id in your Cookie, which references the JWT access token, and do the de-referencing magic on the server which serves your web-app.

answered Sep 28 '16 at 20:26

Tilo

33,354
5
79
106

could you provide some code , how do you store jwt in cookie please?suppose `string token=YOUR_TOKEN` , and you are coding in startup class – sepehr Feb 01 '17 at 14:20

Store JWT token in cookie

2 Answers2

Linked