I am building a single page webapplication with Mongo, Express, React and Node. Users can register and login, so I am giving them a JWT. I know that localStorage isn't the safest way to store a token, in-memory storage is living only until a page refresh...
I decided to put my JWT-s on the client side into a httpOnly cookie. I am on localhost, so I can't send them {secure: 'true'}. The cookies are arriving, but there is a big problem. If I login in a tab and login into another account on incognito tab, then I can simply copy-paste the other user's JWT from the httpOnly cookie.
Is there anyway to prevent thefts like these?
I know that I could use refresh and accessToken, but there is this problem too. I could copy them from another users Application Tab and paste into mine. How can I prevent it?
question from:
https://stackoverflow.com/questions/65901284/httponly-cookie-as-the-storage-of-jwt-token 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
