how to store Access token on Server side (Client Web server).

[Fahim Awan]

Greetings,
I am using Angular 7 with angular material for my client application that connects and obtains Access token from IRIS Authorization Server to access REST APIs that reside on the resource server with delegated authority. The only problem that I am facing right now is exposing the important information such as JWT (encoded Access token) token information which stores in the browser’s local storage and not secure to handle XSS Attacks.

Right now, I am having hard time finding an alternative but secure option to store access token on the server side (client WEB SERVER) instead of browser’s local storage to make my client application any less vulnerable to XSS attacks as Local storage is designed to be accessible by JavaScript, so it doesn't provide any XSS protection.

There are some good suggestions that I have googled including the following with some pros and cons.

• a WEB Server-side session that maintains sensitive data User IDs, Session IDs,,JWTs, API keys, etc.
• Store in cookies with “httpOnly” option which also less vulnerable to XSS attacks
• indexedDB solution which also has some caveats

Please let me know if anyone has implemented a better and secure way of storing token information on the server side (Client Web server) and incorporated the information in client application to send token inside the  HTTP (Header) request for consuming REST APIs

 

 

​

 

[Sander Elias]

Hi Fahim,

Storing your token on a server does defeat the purpose, doesn't it?

Other apps cannot read the local storage for your app, can you explain to me what security risk you see over cookies? 

CRFS is a bigger problem when you use cookies.

There are some more settings you can do on your server to mitigate the issue. There are only limited possibilities in the frontend code.

Regards

Sander