Message from JavaScript discussions

January 2018

— Just make them expire after an hour


As I said before: My objective is build a complete frontend app (vuejs) that relies only on stateless API endpoints (even the login).

— The Spotify API makes you need a new token every hour

— Jwt + webapi + no revocation method = just stop

— Very very bad idea

— Remove any one of those and it's fine without revocation though

— Not if you issue new tokens for every request

— If you issue tokens for every request with a refresh token, like with OAuth, and still use a SPA/webapi, it doesn't matter as an attacker can then abuse that refresh token, and it does not help whatsoever

Message permanent page

— You basically have to get rid of all XSS vulnerabilities to make it hardened, put jwt in HTTPOnly, SSL-only cookie that no client script can access, then refresh token in localstorage

Message permanent page

— It's totally at odds with all anti CSRF knowledge out there, and hard to implement securely unless you have revocation

Message permanent page

— I similarly used to deploy jwt in SPA/webapi apps and found the same, wrote my own jwt library, and spent a year researching how to secure it... without a blacklist table there is no way to secure it in a way that would let me sleep at night personally

Message permanent page

— Otherwise, even if your app is aware of CSRF, it can't stop it