Stop storing JWT in LocalStorage! And stop using JWT.

I’ve been developing single-page web-apps for a while now, and it’s gotten into my habit to use LocalStorage to store JWTs.

The reason I used JWT was to embed data about the user, and keep it on the client-side, to authenticate (identify) requests/users.

Figured out a while ago that it was wrong. On many levels!

TL;DR — don’t use JWT and don’t store sensitive data in LocalStorage

For starters, it’s not okay to store auth data in LocalStorage.

There’s also no reason to use JWT for authentication. We have things like session-cookies at our disposal, which are battle tested and have been around since basically forever.

The advantages of using session-cookies over JSON Web Tokens for authentication are spec stability, uniformity across libraries, simplicity, footprint.

The story

Last night I found an interesting article on the dangers of using LocalStorage. It pointed out many of the things that could go wrong when storing sensitive data into it. That rang a bell, so I decided to see what else I could find on the topic.

Found a couple of articles, and a presentation, and decided to share them all, here.

I’m going to link everything below, and hopefully anyone who reads them will find answers to the following questions:

  • Is LocalStorage safe for storing authentication data?
  • Should I store JWT tokens in LocalStorage?
  • Should I embed user data inside a JWT?
  • What alternatives to JWT are there?
  • What is the difference between JWT (JSON Web Tokens) and session cookies

The last article is not here to encourage the use of JWT but to talk about the dangers of using LocalStorage.

There’s also a neat project you should check out, called paseto. Thanks to Adrian Cearnău for telling me about Paseto.

Copyright (c) 2023 Adrian Oprea. All rights reserved.