Senior Software Engineer @ Leapfrog Technology. I learn by breaking stuffs. Coding since I was 14 years old. Mostly self-taught, but I got a CS degree, just in case, you know.
Location
Kathmandu, Nepal
Education
Bachelors degree in Computer Engineering, Tribhuvan University
I agree, except the part about "more secure". They are just "differently secure/insecure" if that makes sense. While localStorage is vulnerable to XSS attacks, Cookies are not safe from CSRF attacks either. There are ways to strengthen the both. They have other differences as well. Just use whatever is more convenient / suitable for your use-case. Having a soundly secure JWT setup is more important IMHO.
And if you are worried about having some malicious JS (from a compromised library) stealing your tokens, while cookies prevent them from getting the tokens, they cannot prevent the malicious code to act on your behalf anyway!
Great article 👌
I would recommend to save the JWT in a cookie with
HttpOnly
set. This will be more secure, sincelocalStorage
is readable by JavaScript.Ditto, localStorage is convenient, but if any of your js dependencies or third party scripts is compromised, that localStorage is up for grabs.
I agree, except the part about "more secure". They are just "differently secure/insecure" if that makes sense. While localStorage is vulnerable to XSS attacks, Cookies are not safe from CSRF attacks either. There are ways to strengthen the both. They have other differences as well. Just use whatever is more convenient / suitable for your use-case. Having a soundly secure JWT setup is more important IMHO.
And if you are worried about having some malicious JS (from a compromised library) stealing your tokens, while cookies prevent them from getting the tokens, they cannot prevent the malicious code to act on your behalf anyway!
You are right, but there is ways to prevent the cookie from being exposed (SameSite, etc).
localStorage
is always open 😊