There are a lot of articles around discussing what is the best place to store JWT on the clientside. In short, they're all about -
-
Http-only secure cookie - no XSS, but vulnarable to XSRF
-
Header (saved in local storage or DOM) - no XSRF, but vulnarable to XSS
I think I come up with an extremely savvy solution to this, but, since I'm complete noob in security I'm not sure if it's really savvy or stupid.
So, what if to split JWT and save part of it in the cookie and another part in the header? Would it be unbreakable?
This should also solve 'logout' problem - deleting header portion would make browser incapable of logging in.
Best regards, Eugene.
Aucun commentaire:
Enregistrer un commentaire