0

Im working on a fullstack application with Node and React. I used to store the JWT in redux, so I could send it as a header with every request which should be authenticated. But recently I saw a video that said storing our JWT in redux/flux/mobx is vulnerable. How can this be vulnerable? The alternative approach he suggested was to send a cookie from the backend to the frontend with the token. So that it can be stored in the browser cookies. That way we don't have to send the token with every request.

Which approach is better here? What are the vulnerabilities of storing the token on redux?

Shashika Virajh
  • 8,497
  • 17
  • 59
  • 103
  • Afaik, redux works in memory and memory is cleared when you close the website, does not seem vunerable to me. However, for jwtokens, i personally would use sessionstorage and if they want to stay logged in, localstorage. Seems perfectly fine. – Zoidbergseasharp Nov 28 '19 at 05:59
  • It is vulnerable to XSS attack because redux stores state just like localstorage. Refer here https://stackoverflow.com/questions/38329193/where-is-redux-store-saved – Prabhjot Singh Kainth Nov 28 '19 at 06:01
  • This will give you some context: https://stackoverflow.com/a/54258744/1235935 – Saptarshi Basu Nov 28 '19 at 06:03
  • localstorage is safer than cookies https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie#Notes – Zoidbergseasharp Nov 28 '19 at 06:23
  • @Zoidbergseasharp localstorage is never safe unless a fingerprint is also used in the form of a cookie, and cookie is never safe unless measures are taken to protect it from XSS & CSRF. https://stackoverflow.com/a/54258744/1235935 – Saptarshi Basu Dec 02 '19 at 18:11

1 Answers1

-1

Storing your JWT token in the redux store does not make it vulnerable. You should store it in localStorage, which is a secure and persistent way of storing user tokens.

If you store them in redux or sessionStorage, the token will dissapear after a page reload, but this is in no way considered insecure.

Celsiuss
  • 895
  • 7
  • 19
  • 3
    Using `localStorage` is not secure. You can check OWASP's recommendations: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#local-storage – Anouar Apr 08 '20 at 17:33