none
JWT Tokens and Cookies RRS feed

  • Question

  • Developing a web app:  Core 3.0 WebAPI with Angular 8 front end.

    If I use JWT Tokens for authentication/authorization is there any reason why I would want to also use cookies?  In other words, what do cookies allow me to do that JWT Tokens do not?

    Thanks,


    - Bruce

    • Moved by CoolDadTx Wednesday, October 30, 2019 6:23 PM ASP.NET related
    Tuesday, October 29, 2019 3:40 PM

Answers

  • Thanks for the responses below.

    Talking with a friend he told me that it's okay to store the JWT in local storage (or a cookie) in Angular as the security threat is from JavaScript and Angular prevents the execution of JavaScript.


    - Bruce

    • Marked as answer by BruceDB Thursday, October 31, 2019 6:42 PM
    Thursday, October 31, 2019 6:42 PM

All replies

  • Hi BruceDB,

    Thank you for posting here.

    >>is there any reason why I would want to also use cookies?

    Both Cookie authentication and JwtBearer Authentication are two authentication schemes that are designed for web authentication. 

    As you know, the cookie will be sent to server automatically by browser, while the Jwt Token should be sent in the header of `Authorization: Bearer {you-token}`.

    In other words, unless you’ve created a custom event handler on server side to receive the token from the query string, you’ll have to custom a javascript snippet so that it adds such a header for request as you need. 

    As a result, you’ll usually use Jwt Bearer in a SPA. When you’re dealing with traditional/legacy codes, for example, reusing the Identity pages (scaffolded),  you won’t have the choice to use JWT.

    JWT is good for many use cases, however, it’s not a silver bullet. 

    Best Regards,

    Jack


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.



    Wednesday, October 30, 2019 5:20 AM
  • In writing an ASP.NET WebAPI and the WebAPI required autentication, you would use JWT. They don't  talk about cookie autentication that I have seen in the WebAPI forum in ASP.NET forums.

    http://forums.asp.net/

    Cookies are only used on the client side.

    https://ponyfoo.com/articles/json-web-tokens-vs-session-cookies

    Wednesday, October 30, 2019 7:20 AM
  • Thanks for the responses below.

    Talking with a friend he told me that it's okay to store the JWT in local storage (or a cookie) in Angular as the security threat is from JavaScript and Angular prevents the execution of JavaScript.


    - Bruce

    • Marked as answer by BruceDB Thursday, October 31, 2019 6:42 PM
    Thursday, October 31, 2019 6:42 PM