In a single page application it is necessary to access the JWT with JavaScript. ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Moneysac on Nov 25, 2023 \| parent \| context \| favorite \| on: Stop using JSON Web Tokens for user sessions In a single page application it is necessary to access the JWT with JavaScript. Thats why it is so common to save it in the code directly or in the local storage. It is dangerous though, since a XSS vulnerability can be used to access the JWT. This would be totally different with a cookie that is stored with HttpOnly.

Aldipower on Nov 26, 2023 [–]

No, why? It is very often not necessary to make this accessible to JavaScript, except you are working with refresh tokens. But this is mostly not necessary and overused.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact