Where to store JWT in browser? How to protect against CSRF?

I know cookie-based authentication. SSL and HttpOnly flags can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit complicated. (reference)

Recently, I discover that JSON Web Token (JWT) is quite hot as a solution for authentication. I know the stuff about encoding, decoding, and verifying JWT. However, I don’t understand why some websites/tutorials tell that there is no need for CSRF protection if JWT is used. I have read quite a lot and have tried to summarize the problems below. I just want someone to provide a bigger picture of JWT and clarify the concepts I misunderstood about JWT.

  1. If the JWT is stored in a cookie, I think it is the same as cookie-based authentication except that the server does not need to have sessions to verify the cookie/token. There is still a risk of CSRF if no special measure is implemented. Isn’t JWT stored in a cookie?

  2. If the JWT is stored in localStorage/sessionStorage, then there is no cookie involved so don’t need to protect against CSRF. The question is how to send the JWT to the server. I found here that it is suggested to use jQuery to send the JWT by HTTP header of ajax requests. So, only the ajax requests can do the authentication?

  3. Also, I found one more blog that points to use “Authorization header” and “Bearer” to send the JWT. I don’t understand the method the blog talks about. Could someone please explain more about “Authorization header” and “Bearer”? Does this make the JWT transmitted by HTTP header of ALL requests? If yes, what about CSRF?

6 Answers
6

Leave a Comment