1

I am trying to build a registration/login system using the PERN stack (Postgres, Express, React & Node) for a client website.

I was doing some researching and came across HTTP Cookie and JWT token authorizations (many more but apparently those two are the dominant).

I noticed alot apps and tutorials that uses Node JS seems to use JWT alot, and store these in localstorage. But I'm doubtful about the security because I feel like a developer can basically go into localstorage and get the JWT token which o

Is there a better way to secure user authentications with this stack or is using localstorage the rule of thumb? If so, why is that?

Thank you for your time.

ninja_nugget
  • 712
  • 1
  • 8
  • 19

2 Answers2

0

One limiting medium to the security of both session IDs and JWTs is network transmission. In this case, both are only as secure as the network itself. But most likely, your application would be using something like HTTPS or SSL, in which case any data being sent across the network would be reasonably secure.

Regarding your other edge case of someone trying to sniff at a JWT in local storage, there are a few options you may consider:

  • First, the nature of the JWT is that it is generally tamper-proof. A JWT contains inside of it a checksum, which is a unique hash based on the actual contents of the JWT. Let's says that some malicious user sniffed local storage, and then tried to change e.g. the claims section of the JWT. In doing so, this would also change the checksum (which that user would not be able to figure out, lacking the server key). Then, the next time the compromised JWT is sent to the server, the server would reject it, because the computed checksum would not match with the value contained in the JWT.
  • Second, in the event the above be deemed not secure enough, it is possible to pass around encrypted JWT. If you go with this option, both the server and client would encrypt/decrypt before sending a JWT, which adds an extra layer of protection.
Tim Biegeleisen
  • 502,043
  • 27
  • 286
  • 360
0

Security of network transmission is just one case of whole solution in web applications.

Im currently in the research of the same topic and as you said a lot of tutorials, blogs, youtube and other sources gives an excellent examples of using JWT tokens for handling user data. Unfortunately hardly anyone go deepest in handling and processing user sessions from administration point of view - where the real problems starts.

Logging the user in and sends JTW token in response to the client is not a problem at all. The problem begin when you as administrator want to invalidate a user.

Refer to this sources: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ Logout/invalidate a JWT

The session cookie with session data stored in server-side is currently the best option for web application.

Tomasz Majewski
  • 41
  • 4