I m creating a web app, basically an Admin control panel, using Angular and Laravel and used JWT to secure my apis. My question is - if jwt token stores in local storage which is being used to authenticate all my api request, what if someone copy jwt token from local storage, and use it for api requests separately from the app? Then how is it secure? and what is the way secure it?
Asked
Active
Viewed 1,011 times
1
-
https://stackoverflow.com/questions/44133536/is-it-safe-to-store-a-jwt-in-localstorage-with-reactjs – Roberto Zvjerković Mar 11 '21 at 10:46
-
Generally speaking, holding a JWT is equivalent from an auth point of view as having possession of user credentials. – Tim Biegeleisen Mar 11 '21 at 10:51
-
Incorporating things like IP address, device characteristics, etc., which can all be encrypted and stored on the same localStorage object as the JWT, makes the authentication more secure. You cannot, however, ever be sure that the device is securely with its owner. With that in mind, a short-lived token that expires after a few minutes or hours (depending on your security requirements), forcing your users to log back in, also helps to secure your app. – user6854465 Mar 11 '21 at 12:46
-
okay, I understand, Thanks – Asif Iqbal Mar 16 '21 at 04:02
1 Answers
1
It is not safe to save tokens in local or session storage. Those storages are vulnerable on XSS attacks. A good practise is to keep them in memory (as a variable) or as a http only cookie..
Notihnio
- 21
- 2