tags : Security, Web Development, Authentication, JWT, Identity Management
Products to look at
B2C
B2B
FAQ
Where to store auth/session token?
- See Identity Management and API Design
- Preference is to use cookies for storing auth stuff.
- For user preference etc. local storage is fine.
- URL Params / URL args / POST Body : Using these is not recommended but possible for obvious reasons
- Cookies
- XSS can be tightened w HTTPOnly cookie
- Browser will automatically send cookies so no additional handling of auth stuff required
- Can be set across subdomains. So you can use the same auth for
a.x.com
andb.x.com
which is cool. - Easy to clear also
- Local storage
- XSS possible
- Only per origin
- Not suitable for sensitive stuff
- Have to send the auth token yourself
- Session storage
- Similar to Local Storage but better in this regard
- See Cookies
- See Web Storage
What are the ways to do Authentication?
- Assuming we not dealing with OIDC (OpenID Connect) here.
- We have two options, Web Sessions and JWT. For both, Cookies are a safe storage mechanism. But not necessarily all the time. Here comes “it depends”.