Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What if any user stole my accessToken and paste it to his browser cookie storage (using browser delveoper tool) ? #958

Closed
rudrabhikadiya3 opened this issue Jan 31, 2024 · 1 comment
Closed

What if any user stole my accessToken and paste it to his browser cookie storage (using browser delveoper tool) ? #958

rudrabhikadiya3 opened this issue Jan 31, 2024 · 1 comment

Comments

@rudrabhikadiya3
Copy link

I am shifted to MERN stack from Next.js developer.

For implementing authentication in my web, I store accessToken in cookies (as usual) and also implemented refreshToken mechanism.

But I have doubt when all the structure and login system(even refreshToken) is depends on accessToken, which is stored in cookie so we can access it from every component of web application. but its also access by any user, that's the problem!

If I logged in my PC(desktop/laptop) and leave my PC and some other guy seat on my pc then he can easily get my token and use it in his own PC by paste my token in cookie storage(using developer tool).

So how you guys prevent from this?
@ptz0n
Copy link

ptz0n commented Feb 16, 2024

Correct, that's how cookies work. There's a few things to consider:

  1. Token TTL
  2. Use session storage
  3. Lock your computer

@panva panva closed this as not planned Won't fix, can't repro, duplicate, stale May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ptz0n @panva @rudrabhikadiya3