Should I store JWT tokens in IndexedDB?

karandave09 · May 20, 2021, 9:31am

After reading some articles, I realize that using localStorage and sessionStorage is a bad idea for storing JWT tokens, and cookies with httpOnly should be used instead.

As I read more and learn some about indexedDB today, I wonder if indexedDB is a secure option for storing JWT tokens as well?

Ref link: cookies - Should I store JWT tokens in IndexedDB? - Stack Overflow

dan.woda · May 24, 2021, 8:18pm

Hi @karandave09,

Welcome to the Community!

It looks like indexedDB is subject to the same risks as localstorage and won’t solve for this.

karandave09 · May 27, 2021, 7:40am

Hey @dan.woda,

Thank you for your reply.

Wanted a suggestion;
So where should one store jwt token for a complete client-side (kind of a widget) single page application?

dan.woda · May 27, 2021, 7:06pm

We recommend refresh token rotation, or silent authentication (based on a cookie session), to get new access tokens in SPAs without leaving them vulnerable to XSS attacks in localstorage.

If you haven’t looking into using our SPA SDK, I highly recommend it.

system · June 11, 2021, 7:07pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Where to store refresh token on WEB? JWT.io jwt , login	2	4811	July 8, 2019
Where to store JWT? JWT.io	2	4244	July 26, 2019
Isn't storing a JWT in a non-httponly cookie just as insecure as local storage? JWT.io cookie , localstorage	4	9206	August 21, 2020
We have to not use refresh token, and we have to not store tokens at browser side. isn't it? JWT.io	1	5553	July 4, 2019
Which is the best way to store the auth0 token for a web app JWT.io auth0 , localstorage	7	13427	September 2, 2019

Should I store JWT tokens in IndexedDB?

Related topics