I understand the importance of refresh & access tokens for API that would be consumed by your customers from the app that they develop (this way it really is safer), but I don't understand why to use it for frontend apps (like react/react native), there's no major advantages of doing it and if anything you put the user at greater security risk...I mean when you use one single access token you can just put it in an httpOnly cookie and it would be much more secured then providing a refresh and access tokens in the response of your login request and then manipulating them with JS to put them in the cookies / local storage, because this way an attacker can steal them with XSS etc.. and would just be able to steal the refresh token as well and generate new access tokens and make the whole refresh & access tokens system just insecure compared to one single access token stored in an httpOnly cookies...
Submitted September 29, 2020 at 09:11AM by s_trader
No comments:
Post a Comment