jason web token storage #55
Comments
|
How so @benjaminlees ? |
|
As web storage is accessible by javascript on the same domain making it vulnerable to cross site scripting. |
|
Any more so than cookies...? |
|
@benjaminlees Check out this blog post from Auth0 regarding XSS vs CSRF: https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/#xss-xsrf |
|
@eventhough thank you very much. But this article also states that through using the the HttpOnly cookie flag the cookies are not accessible through javascript and are there for immune to xxs unlike web storage. |
|
@eventhough I guess that the article also states that xsrf is a harder attack to protect against then xxs, which is a very good point and one that i had not truly understood. |
|
There are tradeoffs to everything in life. We make decisions based on what On Sunday, June 28, 2015, benjamin Lees [email protected] wrote:
|
|
@benjaminlees not all browsers support HttpOnly cookie But we are considering add support for it: #56 Want to Pair on a Pull Request tomorrow? 😉 |
|
@nelsonic definitely that would be awsome! |
|
@benjaminlees is the code where you used cookies in hapi somewhere on GitHub? |
|
@nelsonic Just updated to version 4.7.0 and I get a weird error in IE9: Does IE9 do something differently when it sends cookies over? Is there a flag or something I can set to turn off cookie auth? |
|
@eventhough oh! where are you seeing that error? (in the browser or in a response from the server?) Does your app already use cookies for something other than authentication? (or are you using the hapi-auth-cookie plugin in your app?) If its a show-stopper issue, simply downgrade to the previous version of the hapi-auth-jwt2 package by specifying v.4.6.0 in your package.json till we are able to identify precisely what the issue is. Thanks very much for reporting this. |
|
@nelsonic sorry spoke way too soon. I think it has something to do with hapi, not with hapi-auth-jwt2. Have you ever seen this problem before? I don't use cookies in my project but for some reason hapi does not like whatever IE9 is sending.... |
|
@nelsonic All is well. Not sure what IE9 is doing but if you aren't using cookies, make sure you set the route config for state.parse = false; |
|
Oh wow! headers: {
cookie: 'token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MTIzLCJuYW1lIjoiQ2hhcmxpZSIsImlhdCI6MTQzNzUxNTE5OH0.xFWe9ccAHqq1bWQ3FvY_plDcY4ClHhm173fxUVHapAE'
}So I don't expect to ever see this IE9 issue ... |
|
@eventhough thanks for the heads up! |
|
@nelsonic I saw the same error in 4.6.x so I knew it wasn't hapi-auth-jwt2. A little more sleuthing revealed that IE9 is the culprit. I'm not really using cookies for my app right now so I turned off parsing. |
|
@eventhough thanks for confirming that. |
|
Closing. this was resolved a 3 releases ago. 👍 |
from looking at this module it looks like you store the jwt in web storage rather than in a cookie.but doesn't this open you up to xss attacks?
The text was updated successfully, but these errors were encountered: