top of page

Ken's Code

Using HTTP-Only Cookies to Store JWT Tokens

Writer's picture: ken quigginsken quiggins
May 17, 20232 min read


The security of user data is paramount in any application. JSON Web Tokens (JWT) are a popular method for securely transmitting information between parties. However, storing JWTs securely can be a challenge. One solution is to use HTTP-only cookies. This post will demonstrate how to use HTTP-only cookies to store JWT tokens.


What are HTTP-Only Cookies?


HTTP-only cookies are a type of web cookie that can't be accessed via JavaScript. This means they are immune to Cross-Site Scripting (XSS) attacks, one of the most common threats to web security. Why Use HTTP-Only Cookies? By storing JWTs in HTTP-only cookies, you can prevent malicious scripts from accessing the token and using it for unauthorized access. Implementation

Backend Let's assume we have a Node.js application using Express. You will also need the `jsonwebtoken` and `cookie-parser` packages, which you can install with npm:



npm install jsonwebtoken cookie-parser

Now, we can create a JWT and store it in an HTTP-only cookie when the user logs in:




const express = require('express');
const jwt = require('jsonwebtoken');
const cookieParser = require('cookie-parser');

const app = express();
app.use(cookieParser());

app.post('/login', (req, res) => {
    const user = { id: 1 };  // For simplicity, user is hardcoded. In real-world applications, you'd fetch user from your database

    const token = jwt.sign(user, 'your_jwt_secret', { expiresIn: '1h' });

    res.cookie('token', token, { httpOnly: true });
    res.json({ message: "User logged in" });
});
app.listen(3000, () => console.log('Server started on port 3000'));

Frontend

On the client side, the JWT will be stored in an HTTP-only cookie automatically after the login request is made. As a result, you don't need to do anything specific to handle the JWT. However, to access protected routes, you need to ensure your requests include credentials:


fetch('http://localhost:3000/protected-route', {
    credentials: 'include'  // This will include cookies (and thus our JWT) with the request
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

Conclusion

Using HTTP-only cookies to store JWT tokens is a powerful technique that can greatly enhance the security of your application. It's a bit more complex to implement than some other solutions, but the added security is worth it. Always remember, when it comes to security, it's better to be safe than sorry!

Happy Coding!!!


Remember to replace `'your_jwt_secret'` with your actual secret key for JWTs.







5 views0 comments

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page