We have begun developing an Angular single-page application against a .NET Core Web API backend. We have setup a login screen using AWS Amplify and Cognito, with a JWT Authentication Scheme in the backend.
Since then, we have discovered two things:
- JWT suck as session tokens
- AWS Amplify stores the JWT token in browser local storage, which it shouldn't be
The latter is a particular problem as it is unlikely we will pass a penetration test.
We are thinking through our options, and one that comes to mind is, immediately after login, exchanging the JWT token for an old-school session cookie, avoiding the need to store the token on the client. Yes, perhaps this defeats the purpose of using JWT in the first place, but it does allow us to keep using Cognito as an identity store.
After a bit of searching, I haven't seen any references to people doing this. Is this a sound strategy, or have I overlooked something?
question from:
https://stackoverflow.com/questions/66064953/exchanging-a-jwt-cookie-for-a-session-cookie-in-net-core 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
