Search code examples
javascriptauthenticationcookiestoken

Should I store the access and refresh tokens in cookies?


In my application, when the user logs in successfully, I generate the access and refresh tokens using JWT and store both in cookies. This seems correct to me because cookies add more security than local storage (by using HTTP only).

The problem is that both tokens are sent with every request. Theoretically, I should only send the refresh token when the access token has expired. Am I approaching this incorrectly?

The only solution I can think of is to store the access token in local storage and the refresh token in cookies (because it needs more security) , but I'm not entirely convinced by that. I am using Express and React. Is there something I haven't understood?

Thank you in advance.


Solution

  • What you can do to avoid refresh token being sent to every request is to ensure it is only sent to specific path, for example:

    res.cookie('refreshToken', refreshToken, {
      httpOnly: true,
      secure: true,
      sameSite: 'Strict',
      path: '/refresh-token' // this cookie will only be sent with requests /refresh-token
    });
    
    res.cookie('accessToken', accessToken, {
      httpOnly: true,
      secure: true,
      sameSite: 'Strict'
    });