jason web token storage

[benjaminlees]

from looking at this module it looks like you store the jwt in web storage rather than in a cookie.but doesn't this open you up to xss attacks?

[nelsonic]

How so @benjaminlees ?
(Genuinely, please help us understand how ...)

[benjaminlees]

As web storage is accessible by javascript on the same domain making it vulnerable to cross site scripting.

[nelsonic]

Any more so than cookies...?

[eventhough]

@benjaminlees Check out this blog post from Auth0 regarding XSS vs CSRF:

https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/#xss-xsrf

[benjaminlees]

@eventhough thank you very much. But this article also states that through using the the HttpOnly cookie flag the cookies are not accessible through javascript and are there for immune to xxs unlike web storage.

[benjaminlees]

@eventhough I guess that the article also states that xsrf is a harder attack to protect against then xxs, which is a very good point and one that i had not truly understood.

[eventhough]

There are tradeoffs to everything in life. We make decisions based on what
we know at that moment and figure out how to make those choices work down
the line.

On Sunday, June 28, 2015, benjamin Lees notifications@github.com wrote:

@eventhough https://github.com/eventhough I guess that the article also
states that xsrf is a harder attack to protect against then xxs, which is a
very good point and one that i had not truly understood.

—
Reply to this email directly or view it on GitHub
#55 (comment).

[nelsonic]

@benjaminlees not all browsers support HttpOnly cookie
see: http://resources.infosecinstitute.com/cookies-httponly-flag-problem-browsers/

But we are considering add support for it: #56

Want to Pair on a Pull Request tomorrow? 😉

[benjaminlees]

@nelsonic definitely that would be awsome!

[nelsonic]

@benjaminlees is the code where you used cookies in hapi somewhere on GitHub?

[eventhough]

@nelsonic Just updated to version 4.7.0 and I get a weird error in IE9: Invalid cookie value

Does IE9 do something differently when it sends cookies over? Is there a flag or something I can set to turn off cookie auth?