1

I am using JWT token for the authentication and since the server is stateless, the client (Javascript app) uses cookies to store the JWT token, read the token every time from cookies and set the authorization header accordingly on any call to the server. The issue I am facing is the token can become larger than 4KB and this is causing a failure on the javascript part. Apparently, Javascript has a limitation of 4KB for the cookie size. Therefore, this is causing an issue. 

Set-Cookie header is ignored in response from url: xxxxx. Cookie length should be less than or equal to 4096 characters

My question is what can I do to address the cookie limitation from the javascript point of view? Is that even a right thing to set the JWT token in the cookie? I would imaging having a JWT token larger than 4KB can happen with some applications. What would be the alternative (and yet secure) approach to handle it in a stateless way and manage the javascript limitation?

Ali
  • 1,609
  • 1
  • 23
  • 57

2 Answers2

1

You could store the token in the sessionStorage or localStorage and append the token in all requests in the Authentication header. You could implement Bearer Authentication in your application.

You could save data in the sessionStorage or localStorage upto 5 MB And these methods are more secure than cookie.

Session Storage:

The sessionStorage property accesses a session Storage object for the current origin. sessionStorage is similar to localStorage; the difference is that while data in localStorage doesn't expire, data in sessionStorage is cleared when the page session ends.

  1. A page session lasts as long as the browser is open, and survives over page reloads and restores.

  2. Opening a page in a new tab or window creates a new session with the value of the top-level browsing context, which differs from how session cookies work.

  3. Opening multiple tabs/windows with the same URL creates sessionStorage for each tab/window. Closing a tab/window ends the session and clears objects in sessionStorage

Local Storage:

The read-only localStorage property allows you to access a Storage object for the Document's origin; the stored data is saved across browser sessions. localStorage is similar to sessionStorage, except that while data stored in localStorage has no expiration time, data stored in sessionStorage gets cleared when the page session ends — that is, when the page is closed.

Sohail Ashraf
  • 8,886
  • 2
  • 21
  • 39
  • Thanks for the reply. I can see using local storage is possible in my case. However, I am worried about the security vulnerabilities I may run into. I can find lots of articles about this. Some say cookies are more secure some say local storage is a better option. I will keep investigating, though. – Ali Mar 12 '20 at 07:26
0

You can use both localStorage and sessionStorage, for clear understanding of both kindly see the here! answer.

Shoaib Raza
  • 61
  • 5