Where to store refresh token on WEB?

httpnotonly · June 12, 2019, 2:46pm

Hi team!
I’m asking this question, because there are no articles about storing tokens in browser.
Ok, we have cache, local/session storage, cookies. Cookies look like more secure storage with possibility to mark our tokens as secure, httpOnly, sameSite.

But
We have same storage for access and refresh token.
Is it normal or not to store both tokens in cookies with all flags?
(I didn’t find anything bad, but looks like I miss some cases)

dan.woda · June 14, 2019, 5:39pm

Hi @httpnotonly,

Thanks for joining us in the Auth0 Community!

Did you get a chance to look at this doc:

The answer is going to depend on your framework.

Are you using a regular web app or SPA?

Thanks,
Dan

system · July 8, 2019, 5:54pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
We have to not use refresh token, and we have to not store tokens at browser side. isn't it? JWT.io	1	5553	July 4, 2019
Isn't storing a JWT in a non-httponly cookie just as insecure as local storage? JWT.io cookie , localstorage	4	9203	August 21, 2020
Where to store JWT token? JWT.io jwt , api	2	3790	July 26, 2021
Where to store JWT? JWT.io	2	4244	July 26, 2019
Securing access tokens in SPA + API Help spa , rest-api	4	5500	August 2, 2019

Where to store refresh token on WEB?

Related Topics