2

I've read here and there that saving a jwt token in local/session storage might not be the best solution from the security point of view.

But what if I save an encrypted version of the jwt token into session storage and the decrypt it every time I need it in the application? Would that make a difference?

I would use for example something similar to the accepted answer to this question: JavaScript string encryption and decryption?

Sebastian M
  • 471
  • 1
  • 4
  • 20
  • Think about two users sharing the same browser -- it's fairly common. Local storage is trivial to find, and session storage is less likely to be found but still possible. As for encryption, the key must be stored somewhere, which means it can be found by an attacker. So, depends on how serious you are about security and how serious the attackers are :) – user2740650 Jul 10 '21 at 22:06
  • right, I did not thing about 2 users. What is then the way-to-go with storing jwt client side? – Sebastian M Jul 12 '21 at 06:05
  • I'm not sure there's any safe way to do it. – user2740650 Jul 12 '21 at 20:20
  • what if I would store the key in as env variable? – Sebastian M Jul 28 '21 at 13:50
  • An env variable where? You were talking about local storage, i.e. a browser, and a browser can't modify the environment. – user2740650 Jul 28 '21 at 20:22
  • I could receive the authToken from the backend API, encrypt it with the secret I got from my env and save it to local storage. Then whenever I need the token I would get it encrypted from local storage and decrypt it in my application using the secret from my env variable – Sebastian M Jul 29 '21 at 10:01
  • Well I'm not sure I follow, but what I can say is that any sort of custom security measures will always have flaws, and hence that is bad practice. I'd suggest you post another question that asks a more broad question about how to secure your situation (and provide details of your situation there). – user2740650 Jul 29 '21 at 13:51

0 Answers0