Message from JavaScript discussions

January 2018

— To secure it, you need another token but not as a cookie, rather just in localstorage, which only scripts from your origin can see

Message permanent page


When i coded php, i used several cookies with different expiration time, so if any cookie from browser was broken, session terminated

— A simple img tag can attack your app from any website if you only use cookies

— Your browser will happily send the cookie along with any request from any site, to your app's server

— Maybe yes, but it doesnt send expiration time

— Not sure what you mean, if it's in cookies it gets sent

— Whereas localstorage isn't sent automatically and has to be used by your scripts

— So if I receive a csrf I take the token and blacklist it

— Yeah, you can detect CSRF attempts sometimes. If your server gets the jwt for example, but not any other tokens like CSRF tokens, then the server can know that something is wrong and blacklist that jwt

Message permanent page

— img tag should be injected somehow first, right? to steal cookie

— No

— Attacker will never need to ever see or steal it