1

By saving the RefreshToken in an HTTP-only cookie it cannot be accessed or manipulated by JavaScript, but will be sent with each request with a greater risk of being intercepted.

When saving the RefreshToken in LocalStorage it can be accessed and manipulated via JavaScript, but it will only be sent to the server when the AccessToken needs to be renewed.

Each technique has its advantages and disadvantages.

Currently my rest API is https and stores the Access-Token in an http-only cookie on clients, in addition to returning the refreshToken in the http response body. In my http client I store the refreshToken in Local Storage and only send it in the request when I need to update the accessToken.

So which is the safest?

Bruno Nobre
  • 19

1 Answers1

3

It strongly depends on the context, and it belongs to you to evaluate the different risks and the probability of those risks in your particular case.

Historically and in general, XSS and JavaScript injection were much more popular vectors of attack compared to the interception (and decryption) of HTTPS traffic. This doesn't mean they will still be more popular in the future, nor are they more popular today in your situation.

Essentially, evaluate the risks. Sometimes, you'll discover that it doesn't matter. For instance, if one of the risks is for the client machine to be compromised, there is a possibility that:

  • All the HTTPS traffic is sniffed (and certificates are tampered),
  • And Custom JavaScript is injected in every page,
  • And all cookies and local storage can be accessed by an attacker anyway.

However, as noted by freakish in the comment below, a scenario where the client machine is compromised is very likely outside your responsibility anyway. If you're a web developer, chances are, you don't manage client machines, and network security (i.e. everything that happens between the servers running your app, and the end client) are secured by other people who—we would assume—know what they are doing. In this case, XSS and JavaScript injection are your priorities, and storing the secrets in http-only cookie rather than local storage makes sense.

Arseni Mourzenko
  • 137,583