0

I am new to JWT, I just return it as java object in JSON and made some filters so it can work just like session_id with Spring Security.

But I don't understand how is JWT stored on the client side, where does it go after the server response? Is it automatically stored by all browsers in coockies? Do all browsers support JWT?

I do appreciate your answer.

Jeff_Mer
  • 47
  • 5
  • Local storage is one option. – Tim Biegeleisen Jul 15 '21 at 05:29
  • JWT has nothing to do with browser support, its just a string that is returned in the response from a server. You can save it in-memory, localStorage, or http only cookie. IMHO, you should save it in http-only cookie. – Yousaf Jul 15 '21 at 05:30
  • storing sensitive information like tokens in localstorage is a huge security risk. If there exists an XSS flaw, a malicious actor could steal your token. OWASP still always recommends not storing anything sensitive in localstorage. https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage so store tokens there is a bad suggestion. – Toerktumlare Jul 15 '21 at 11:47

1 Answers1

0

and made some filters so it can work just like session_id with Spring Security - if you want to use JWTs for sessions, please don't do that, and here's an article which will tell you why: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ If all you need is session, then stick with sessions. Using tokens will only complicate life for you and you will probably expose yourself to some token-related threats.

Otherwise, if you really want to stick with JWTs, then have a look at the answer linked in Yousaf's comment.

Michal Trojanowski
  • 10,641
  • 2
  • 22
  • 41