It is safe to save a jwt token in LocalStorage


I have a react-app and I store the token jwt in localStorage. I have been researching and some recommend using sessions. My question is what risks I run.

Anyone could use the token and generate calls to my Apis.

asked by Anderson 21.03.2018 в 17:08

1 answer


Anyone could use the token and generate calls to my Apis

Anyone who has access to the client's PC, to their session and to their browser . At this point it is the user's responsibility to protect their computer and accounts, not the developer. If you allow the browser to save your username and password (it's very common), anyone who can read the localStorage could also simply enter the browser and open a new session.

In conclusion: there is no problem using the localStorage, as long as you delete the token when the user decides to close the session (you could use sessionStorage , but the browser session concept can be a bit restrictive if you want the token lasts hours or even days). What I do advise is to send the token as a header, not as a cookie, to avoid CSRF attacks.

You can find more information on this answer from StackOverflow in English

answered by 21.03.2018 в 17:40