I've been developing single-page web-apps for a while now, and it's gotten into my habit to use LocalStorage to store JWTs.
The reason I used JWT was to embed data about the user, and keep it on the client-side, to authenticate (identify) requests/users.
Figured out a while ago that it was wrong. On many levels!
TL;DR — don't use JWT and don't store sensitive data in LocalStorage
For starters, it's not okay to store auth data in LocalStorage.
There's also no reason to use JWT for authentication. We have things like session-cookies at our disposal, which are battle tested and have been around since basically forever.
The advantages of using session-cookies over JSON Web Tokens for authentication are spec stability, uniformity across libraries, simplicity, footprint.
Last night I found an interesting article on the dangers of using LocalStorage. It pointed out many of the things that could go wrong when storing sensitive data into it. That rang a bell, so I decided to see what else I could find on the topic.
Found a couple of articles, and a presentation, and decided to share them all, here.
I'm going to link everything below, and hopefully anyone who reads them will find answers to the following questions:
- Is LocalStorage safe for storing authentication data?
- Should I store JWT tokens in LocalStorage?
- Should I embed user data inside a JWT?
- What alternatives to JWT are there?
- What is the difference between JWT (JSON Web Tokens) and session cookies
- Please Stop Using Local Storage
- Slides: JWTs Suck (for web authentication and basically everything else)
- Why JWTs Suck as Session Tokens
- Stop using JWT for sessions
- Stop using JWT for sessions, part 2: Why your solution doesn't work
- Where to Store your JWTs – Cookies vs HTML5 Web Storage
The last article is not here to encourage the use of JWT but to talk about the dangers of using LocalStorage.