I've been reading several articles recently about how storing JWTs in local or session storage is inherently insecure. The mitigation is apparently to implement a "session ID pattern", i.e. create a session ID, which is stored in a signed HttpOnly cookie and is also included in the JWT, in which case both can be compared server-side to make sure the token corresponds to the right session.
From my limited understanding of the OpenID Connect spec, it seems like that session pattern is part of the specification (as state parameter), so I'm assuming that using a compliant implementation should be enough to protect against CSRF/XSS in this particular context.
Is this a correct assumption? Does OpenID Connect spec include CSRF and XSS protection for JWTs?
http://dlvr.it/SjZ73k
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment