Im storing my JWT access token as a cookie. I dont understand why is it dangerous , and how else would you store it?

Question

Currently I have the following authflow:

User logs in
The server issues an accestoken sent as a response to the client, and the client saves it in the users browser as a cookie
This access token is short lived (5min), and is refreshed every 5 minutes by a refresh token, so the access token stored in the cookie changes every 5 minutes.
But well, my react app must read the cookie, get the accesstoken from there, send it to the verification server, and then this returns a true or false, and based on that i will get access to a specified react route.

Point is, I dont see any problem in this system, the only thing im carrying in my accesstoken is a userID to read its refreshtoken from the database so it will be able to refresh the access token. But apparently having an access token stored in a cookie is a bad practice. Why would it be a bad practice? How else are you supposed to mantain that accesstoken in the users browser if its not storing somewhere as in a cookie?

@AmirSchnell thanks, that thread has one of the best guides abt jwt ive ever seen in one of its answers — mouchin777, Feb 11 '20 at 10:28

score 1 · Accepted Answer · answered Apr 14 '20 at 06:32

1

Posting the link from my comment, so this question has an answer: stackoverflow.com/a/40376819

answered Apr 14 '20 at 06:32

Amir Schnell

1 Answers1