Click here to Skip to main content
14,216,282 members

Welcome to the Lounge

   

For discussing anything related to a software developer's life. Technical discussions are encouraged, but click here to ask your programming questions.

The Lounge is rated PG. If you're about to post something you wouldn't want your kid sister to read then don't post it. No flame wars, no abusive conduct, no programming questions and please don't post ads.
 
GeneralRe: Happy birthday... Pin
Brisingr Aerowing21-May-19 14:18
professionalBrisingr Aerowing21-May-19 14:18 
GeneralRe: Happy birthday... Pin
RickZeeland21-May-19 20:24
mveRickZeeland21-May-19 20:24 
GeneralRe: Happy birthday... Pin
DaveAuld21-May-19 22:59
protectorDaveAuld21-May-19 22:59 
GeneralRe: Happy birthday... Pin
CPallini21-May-19 21:28
mveCPallini21-May-19 21:28 
GeneralRe: Happy birthday... Pin
CodeWraith22-May-19 0:20
memberCodeWraith22-May-19 0:20 
RantElephant Security For Elephant Public Facing Elephant API Pin
Nagy Vilmos21-May-19 5:18
professionalNagy Vilmos21-May-19 5:18 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
OriginalGriff21-May-19 5:46
protectorOriginalGriff21-May-19 5:46 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Richard Deeming21-May-19 5:46
mveRichard Deeming21-May-19 5:46 
As always, the answer seems to be "it depends". Smile | :)

Can you avoid storing it at all (other than in a Javascript variable)? The user will have to sign in each time they load your app, but that shouldn't happen too often in a SPA.

Some people recommend local storage[^] (or session storage[^]). Others proclaim it's a terrible idea, because it could be stolen by XSS or a compromised CDN script.

The only other option appears to be a cookie. But if you need to access that from your SPA script, it can't be marked as "HTTP only", so the same XSS / compromised CDN script could steal it just as easily. And if it's sent automatically on every request to the API, then you're open to XSRF.

There don't seem to be any good answers.

Please Stop Using Local Storage - DEV Community 👩‍💻👨‍💻[^]
Where to Store JWTs - Cookies vs HTML5 Web Storage | Stormpath[^]
local storage - Is it safe to store a jwt in localStorage with reactjs? - Stack Overflow[^]
local storage - CSRF protection with JSON Web Tokens - Stack Overflow[^]



"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer

GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Gary Wheeler21-May-19 7:12
memberGary Wheeler21-May-19 7:12 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API PinPopular
Richard Deeming21-May-19 7:24
mveRichard Deeming21-May-19 7:24 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Gary Wheeler21-May-19 7:45
memberGary Wheeler21-May-19 7:45 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
OriginalGriff21-May-19 8:01
protectorOriginalGriff21-May-19 8:01 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slow Eddie22-May-19 2:03
professionalSlow Eddie22-May-19 2:03 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slacker00721-May-19 8:11
professionalSlacker00721-May-19 8:11 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Richard Deeming21-May-19 8:52
mveRichard Deeming21-May-19 8:52 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slacker00721-May-19 8:54
professionalSlacker00721-May-19 8:54 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
RickZeeland21-May-19 9:38
mveRickZeeland21-May-19 9:38 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Gary Wheeler22-May-19 1:32
memberGary Wheeler22-May-19 1:32 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
RickZeeland22-May-19 2:27
mveRickZeeland22-May-19 2:27 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Dan Neely22-May-19 3:28
memberDan Neely22-May-19 3:28 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Nagy Vilmos22-May-19 4:42
professionalNagy Vilmos22-May-19 4:42 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Urban Cricket21-May-19 8:18
memberUrban Cricket21-May-19 8:18 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slacker00721-May-19 8:29
professionalSlacker00721-May-19 8:29 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Urban Cricket21-May-19 8:33
memberUrban Cricket21-May-19 8:33 
GeneralRe: Elephant Security For Elephant Public Facing Elephant API Pin
Slacker00721-May-19 8:38
professionalSlacker00721-May-19 8:38 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.


Advertise | Privacy | Cookies | Terms of Service
Web01 | 2.8.190619.2 | Last Updated 24 Jun 2019
Copyright © CodeProject, 1999-2019
All Rights Reserved.
Layout: fixed | fluid