Message from JavaScript discussions

January 2018

— I am missing the link between backend and frontend


HTTPOnly JWT Cookie for session token & CSRF token = no script can ever see or steal the JWT

Hashed CSRF token in localstorage = only local scripts from the origin can attempt to make requests, or XSS

— With this method express will handle jwt tokens and reply to endpoint if the token is valid

— But

— Who is in charge to store the token?

— If you don't keep a blacklist table, then just the browser

— So the browser itself stores the token automatically and sends it everytime I call the apis?

— Yes, as a cookie

— The browser will auto-send the cookie though, which means every other website on the internet can send it too

Message permanent page

— To secure it, you need another token but not as a cookie, rather just in localstorage, which only scripts from your origin can see

Message permanent page

— When i coded php, i used several cookies with different expiration time, so if any cookie from browser was broken, session terminated

Message permanent page

— A simple img tag can attack your app from any website if you only use cookies