0

I am working on jwt authentication based projects and I want to store the token which is created on user 's login request but this token can be decoded easily so where I have to store these token ?

//code to create token and cookie

const createToken=(id)=>{
return jwt.sign({id},secretkey);}

{....some code are written here.....}

const token= createToken(userid);
res.cookie('jwts',token,{httpOnly:true,maxAge:1000*60*60,sameSite:'lax'})
Improve this question

2 Answers 2

Reset to default
1

From your question, it feels like your JWT flow isn't clear. The token can be decoded - but it will only reveal some payload data and header - which doesn't contain any sensitive data.

Token's generation and explanation: A JWT Token is formed of Header, Payload & Signature.

The header is metadata about the token itself. The payload can be encoded in the token, i.e. the data e.g. user's Id. Signature is created using header, payload, & the SECRET stored at the server. This process is called Signing. This 'SECRET' is what helps us to validate the signature's authenticity.

Well, so how do we make sure the data isn't modified?

A verification process is done at the server where JWT's header, payload, and secret are used to create a test signature. This signature is matched with the original signature (existing inside the JWT already) - then the data has not been modified. Without secret - no one can manipulate JWT. That is, the verification will fail if the signatures do not match.

Token Storage: There is some debate about whether to store the token in cookies or local-storage since both are prone to hacker attacks.

Login Flow:

  • The client sends a request to the server (POST - login).
  • The server validates the user and returns a JWT token in response if the provided credentials are valid.
  • The JWT token is stored in localStorage / cookies depending on the preferred choice (I prefer localStorage).
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

i know all these stuff but i am confused on where to store the token ,generally i store it in cookies ,is it safe to store there ?
@teksojr Yes, it's totally safe. Using cookies over localStorage is actually beneficial. Since, if you're using localStorage - it is prone to XSS attacks (Cross-Site Scripting: It just basically allows the attacker to inject malicious code using JS and can easily read the localStorage). Use HTTPOnly cookies - that makes it so the browser can only send & receive the cookie - but not access/modify it in any way. They may be prone to other kinds of attacks e.g. brute-force attacks, etc. You can read about them in articles dedicated to that. But in the end, yes they are safe to use.
0

you need to send that token along with the API requests from client. I used to store in clients internal storage and used to send that token for each and every API call.

Improve this answer

1 Comment

thnks for your response

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.