JWTs are frequently stored in LocalStorage which means that any XSS is able to l... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		freeqaz on May 26, 2022 \| parent \| context \| favorite \| on: Learnings from 5 years of tech startup code audits JWTs are frequently stored in LocalStorage which means that any XSS is able to leak the JWT. Cookies, on the other hand, can be configured to be HTTP-Only and inaccessible to JavaScript on the page. That prevents somebody with XSS from leaking the value without a second server-side vulnerability or weakness. In addition, JWTs are impossible to revoke without revoking _all_ sessions. This is the biggest weakness, imo, and the reason that they shouldn't be used client-side. I'm a huge fan of the approach the Ory is taking with Oathkeeper and Kratos: https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-i...

nijave on May 27, 2022 [–]

Can't you revoke them the same way you revoke any other auth token and put the token ID in a database somewhere?

waplot on May 27, 2022 | [–]

it won't be stateless then, and you might as well just use traditional sessions then

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact