JWT Storage - Microsoft Q&A (2024)

FAQs

Is it safe to store JWT in session storage? ›

A JWT needs to be stored in a safe place inside the user's browser. Any way,you shouldn't store a JWT in local storage (or session storage). If you store it in a LocalStorage/SessionStorage then it can be easily grabbed by an XSS attack.

JWT should be stored in cookies. You can use httponly and secure flags depending on your requirements. To protect from CSRF samesite cookie attribute can be set to strict if it generally fits your application - it will prevent logged-in users of your site to follow any link to your site from any other site.

Storing Your JWT/Auth Token

Hence, it's always best to store JWTs in http only cookies. Http only cookies are special cookies that cannot be accessed by client side JavaScript. This way they're secure against XSS attacks.

In a SPA(Single Page Application) Authentication JWT token either can be stored in browser 'LocalStorage' or in 'Cookie'. Storing the JWT token inside of the cookie then the cookie should be HTTP Only. The HTTP-ONly cookie nature is that it will be only accessible by the server application.

If you choose to store your JWT tokens in cookies, you should use the HttpOnly and Secure flags to enhance their security. The HttpOnly flag prevents scripts from accessing your cookies, making them immune to XSS attacks.

The general opinion is that they're good for being used as ID tokens or access tokens and that they're secure — as the tokens are usually signed or even encrypted. You have to remember though, that JWT is not a protocol but merely a message format.

There should not be any problem because email is a valid and registered public claim.

JWT Deprecation - The JWT app type will be completely deprecated as of June 2023. New and current users will have 12 months to migrate their JWT based solutions to the server-to-server OAuth app type.

As a JWT is included in a HTTP header, we've an upper limit (SO: Maximum on http header values) of 8K on the majority of current servers. As this includes all Request headers < 8kb, with 7kb giving a reasonable amount of room for other headers.

Cookies still have some vulnerabilities but it's preferable compared to localStorage whenever possible. Because: Both localStorage and cookies are vulnerable to XSS attacks, but it's harder for the attacker to do the attack when you're using httpOnly cookies.

Should you store passwords in JWT? ›

In a general case you would not need to keep user credentials in the JWT because the JWT is by itself a dynamically generated credential that represents the login / password (or the other means of authentication) provided at the JWT's first generation time.

The two have different purposes, and hence different strengths and weaknesses. Cookies are intended to be read by the server, whereas localStorage can only be read by the browser. Thus, cookies are restricted to small data volumes, while localStorage can store more data.

Web storage can store two types of data: local storage and session storage. Both can store JSON data, which is a lightweight and widely used format for exchanging data between web applications.

Session cookies take up very little bandwidth, whereas the bandwidth consumption will be higher in the JWT-based approach because the tokens tend to get bigger and you have the signature you have to send along for each follow up request; whereas if you have the session cookie, it's really small because its just the ...

Combining JWTs and Session Tokens

One of the simplest ways is to return both a session_token and a JWT when a user starts a session. The session_token is a static value that is good for the lifetime of the session (stored server-side), while the JWT has its own, shorter-lived expiry.

You can use session storage when the data that needs to be saved is sensitive. User authentication is an example of data that you would like to clear as soon as the user closes the tab.