Search code examples
node.jshttpjwthttpsessionexpress-jwt

What is more secure, JWT in HTTP sessions or JWT in client's request header?

I am trying to implement JWT based authentication system in one of my project and I have stuck between two option where I need some clarifications. I have come up with two approaches for implementing JWT as follows:

Approach 1

  • Client sends credentials for login
  • Server verifies the credentials
  • Server Generates two tokens, auth-token and refresh-token
  • Server stores these token into it's redis-server as [key]=refresh-token and [value]=auth-token
  • Since HTTP connections are always alive between client and server, the Server sets the auth-token into the http-sessions and send refresh-token in response.
  • Client stores the refresh-token into local browser storage and use it whenever the http connection is closed between client and server to regain authentication.
  • Also, with the help of refresh-token we can refresh the auth-token easily without logging out the user.

Approach 2

  • Client sends credentials for login
  • Server verifies the credentials
  • Server generates auth-token and sends in response to the client
  • Client set the token in the request header for each request it makes to server
Solution

  • This is a good explanation https://auth0.com/learn/refresh-tokens/

    Refresh Tokens are long-lived. This means when a client gets one from a server, this token must be stored securely to keep it from being used by potential attackers, for this reason, it is not safe to store them in the browser. If a Refresh Token is leaked, it may be used to obtain new Access Tokens (and access protected resources) until it is blacklisted. Refresh Tokens must be issued to a single authenticated client to prevent the use of leaked tokens by other parties. Access Tokens must also be kept secret, but due to its shorter life, security considerations are less critical.

    Also a sessions may be hijacking or fixation done.

    If you using SSL all the headers is encrypted.

    So I'll prefer a native JWT mechanism and 'll pay attention to the storage of the auth token on client side.