Access tokens are usually short-lived JWT Tokens that are signed by your server and are included in every HTTP request to your server to authorize the request. Refresh tokens are usually long-lived opaque strings that are stored in your database and used to get a new access token when it expires.
There are two common ways to store your tokens. The first is in localStorage
and the second is in cookies. There is a lot of debate over which one is better with most people leaning toward cookies as they are more secure.
Let’s go over the comparison between localStorage
and cookies.
Pros: It’s convenient.
Authorization Bearer ${access_token}
.Cons: It’s vulnerable to XSS attacks.
An XSS attack happens when an attacker can run JavaScript on your website. This means that the attacker can take the access token that you stored in your localStorage
. An XSS attack can happen from a third-party JavaScript code included in your website like React, Vue, jQuery, Google Analytics, etc. It’s almost impossible not to include any third-party libraries in your site.
#jwt #localstorage #cookies