Store JWT token in cookie

Question

This is my setup:

• 1 authentication server which gives out JWT token on successfull authentication.
• Multiple API resource servers which gives information (

Answer 1

You’re on the right path! The cookie should always have the HttpOnly flag, setting this flag will prevent the JavaScript environment (in the web browser) from accessing the cookie. This is the best way to prevent XSS attacks in the browser.

You should also use the Secure flag in production, to ensure that the cookie is only sent over HTTPS.

You also need to prevent CSRF attacks. This is typically done by setting a value in another cookie, which must be supplied on every request.

I work at Stormpath and we’ve written a lot of information about front-end security. These two posts may be useful for understanding all the facets:

Token Based Authentication for Single Page Apps (SPAs)

https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/

Answer 2

Are you generating your own JWTs?

If yes, you should consider using a signing algorithm based on asymetric encryption, like "RS256" or "RS512" -- this way you can verify the claims in your client application without sharing the private secret.

Do you really need to pass the JWT into the Cookie?

It might be safer to just put a random id in your Cookie, which references the JWT access token, and do the de-referencing magic on the server which serves your web-app.