Hey in cookies vs localStorage

Hi , I want to know which is more secure for storing jwt token(access_token or refresh token) in for authenticating in MERN stack applications.
And again, when authenticating a user, is it compulsory to pass the access_token
as in the header as 'Authorization:‘Bearer token’ ?

Ideally never ever local storage (vunerable to XSS attack), ideally always an httpOnly cookie (vunerable to CSRF but generally a lot more secure). You can use storage, and maybe nothing bad will happen, but the paragraph on basically all descriptions of how to use JWTs that says don’t do it should be heeded.

No, it doesn’t have to be a bearer token, but that is the most typical, and is easiest way to ensure CORS isn’t an issue, generally that’s what most APIs will use

1 Like

Correct me if I’m wrong, but cookies are also a little less invasive. And you can add an expiration. And it is easier for the user to clear out if they need to.

C is for cookie, that’s good enough for me.

1 Like

Thanks , because I kind of see many youtubers using localStorage to store jwt tokens

It might be a “quick and dirty” method for testing things out and a simple way to make a “how to” video, but it shouldn’t be in production.

1 Like

What’s the best way to implement this in MERN apps

You don’t really need anything special to access cookies in React, just the plain vanilla JS way. There are also libraries like “react-cookie” that will give you a hook. There are other libraries that can make things a little easier that aren’t React specific. But they aren’t that had. I’d just look up a youtube video on the subject.