How can I keep track of a user's session via JWT without storing it as a cookie or in...











up vote
0
down vote

favorite
1












I've read in several places that it's not recommended to store a JWT in the browser, either in storage or as a cookie. Even if it was, for the current application I'm developing, we have the JWT stored on a java servlet, and are using a separate React app as a frontend.



I was thinking that I could just give each user an ID in a cookie and then check that their session is still valid by comparing the associated JWT.



Is there some recommended method for keeping track of a user's session with a JWT without actually sending the JWT to the user at any point? Every search I try results in a dozen articles telling me not to send JWT to the browser and store it there, but I wasn't planning to anyway. I'd like to avoid having to handle multiple methods of maintaining a user's session, and the JWT is something that isn't optional at this point.






java reactjs session jwt







share|improve this question






















  • You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
    – Aravind P
    Nov 9 at 16:52












  • @AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
    – realmature
    Nov 9 at 16:59










  • The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
    – Jonathan Laliberte
    Nov 9 at 17:10










  • @JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
    – realmature
    Nov 9 at 17:41















up vote
0
down vote

favorite
1












I've read in several places that it's not recommended to store a JWT in the browser, either in storage or as a cookie. Even if it was, for the current application I'm developing, we have the JWT stored on a java servlet, and are using a separate React app as a frontend.



I was thinking that I could just give each user an ID in a cookie and then check that their session is still valid by comparing the associated JWT.



Is there some recommended method for keeping track of a user's session with a JWT without actually sending the JWT to the user at any point? Every search I try results in a dozen articles telling me not to send JWT to the browser and store it there, but I wasn't planning to anyway. I'd like to avoid having to handle multiple methods of maintaining a user's session, and the JWT is something that isn't optional at this point.






java reactjs session jwt







share|improve this question






















  • You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
    – Aravind P
    Nov 9 at 16:52












  • @AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
    – realmature
    Nov 9 at 16:59










  • The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
    – Jonathan Laliberte
    Nov 9 at 17:10










  • @JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
    – realmature
    Nov 9 at 17:41













up vote
0
down vote

favorite
1









up vote
0
down vote

favorite
1






1





I've read in several places that it's not recommended to store a JWT in the browser, either in storage or as a cookie. Even if it was, for the current application I'm developing, we have the JWT stored on a java servlet, and are using a separate React app as a frontend.



I was thinking that I could just give each user an ID in a cookie and then check that their session is still valid by comparing the associated JWT.



Is there some recommended method for keeping track of a user's session with a JWT without actually sending the JWT to the user at any point? Every search I try results in a dozen articles telling me not to send JWT to the browser and store it there, but I wasn't planning to anyway. I'd like to avoid having to handle multiple methods of maintaining a user's session, and the JWT is something that isn't optional at this point.






java reactjs session jwt







share|improve this question













I've read in several places that it's not recommended to store a JWT in the browser, either in storage or as a cookie. Even if it was, for the current application I'm developing, we have the JWT stored on a java servlet, and are using a separate React app as a frontend.



I was thinking that I could just give each user an ID in a cookie and then check that their session is still valid by comparing the associated JWT.



Is there some recommended method for keeping track of a user's session with a JWT without actually sending the JWT to the user at any point? Every search I try results in a dozen articles telling me not to send JWT to the browser and store it there, but I wasn't planning to anyway. I'd like to avoid having to handle multiple methods of maintaining a user's session, and the JWT is something that isn't optional at this point.






java reactjs session jwt




java reactjs session jwt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 9 at 16:33









realmature

2818




2818












  • You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
    – Aravind P
    Nov 9 at 16:52












  • @AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
    – realmature
    Nov 9 at 16:59










  • The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
    – Jonathan Laliberte
    Nov 9 at 17:10










  • @JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
    – realmature
    Nov 9 at 17:41


















  • You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
    – Aravind P
    Nov 9 at 16:52












  • @AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
    – realmature
    Nov 9 at 16:59










  • The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
    – Jonathan Laliberte
    Nov 9 at 17:10










  • @JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
    – realmature
    Nov 9 at 17:41
















You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
– Aravind P
Nov 9 at 16:52






You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
– Aravind P
Nov 9 at 16:52














@AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
– realmature
Nov 9 at 16:59




@AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
– realmature
Nov 9 at 16:59












The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
– Jonathan Laliberte
Nov 9 at 17:10




The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
– Jonathan Laliberte
Nov 9 at 17:10












@JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
– realmature
Nov 9 at 17:41




@JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
– realmature
Nov 9 at 17:41

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53229732%2fhow-can-i-keep-track-of-a-users-session-via-jwt-without-storing-it-as-a-cookie%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53229732%2fhow-can-i-keep-track-of-a-users-session-via-jwt-without-storing-it-as-a-cookie%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Schultheiß

Image
Der Titel dieses Artikels ist mehrdeutig. Weitere Bedeutungen sind unter Schultheiß (Begriffsklärung) aufgeführt. Ein Schultheiß. Holzschnitt von Peter Flötner (16. Jahrhundert) Der Schultheiß oder Schuldheiß (von althochdeutsch  sculdheizo ‚Leistung Befehlender‘, vgl. mittelniederdeutsch  schult(h)ēte , latinisiert (mittellat.) sculte(t)us , schwäbisch heute noch Schultes für „Bürgermeister“) bezeichnet einen in vielen westgermanischen Rechtsordnungen vorgesehenen Beamten, der Schuld heischt : Er hatte im Auftrag seines Herren (Landesherrn, Stadtherrn, Grundherrn) die Mitglieder einer Gemeinde zur Leistung ihrer Schuldigkeit anzuhalten, also Abgaben einzuziehen oder für das Beachten anderer Verpflichtungen Sorge zu tragen. Sprachliche Varianten des Schultheißen sind Schulte , Schultes oder Schulze . Früher wurde zwischen dem Stadtschulzen und dem Dorfschulzen unterschieden. In der städtischen Gerichts- und Gemeindeverfassung war er ein vom städtischen Rat oder vom L
Read more

Liste der Kulturdenkmale in Wilsdruff

Image
Wappen von Wilsdruff Die Liste der Kulturdenkmale in Wilsdruff enthält die Kulturdenkmale in Wilsdruff. Die Anmerkungen sind zu beachten. Diese Liste ist eine Teilliste der Liste der Kulturdenkmale im Landkreis Sächsische Schweiz-Osterzgebirge. Diese Liste ist eine Teilliste der Liste der Kulturdenkmale in Sachsen. Inhaltsverzeichnis 1 Legende 2 Wilsdruff 3 Birkenhain 4 Blankenstein 5 Braunsdorf 6 Grumbach 7 Grund 8 Helbigsdorf 9 Herzogswalde 10 Kaufbach 11 Kesselsdorf 12 Kleinopitz 13 Limbach 14 Mohorn 15 Oberhermsdorf 16 Anmerkungen 17 Ausführliche Denkmaltexte 18 Quellen 19 Weblinks Legende | Bild: zeigt ein Bild des Kulturdenkmals und gegebenenfalls einen Link zu weiteren Fotos des Kulturdenkmals Bezeichnung: Name, Bezeichnung oder die Art des Kulturdenkmals Lage: Straßenname und wenn vorhanden Hausnummer des Kulturdenkmals; Grundsortierung der Liste erfolgt nach dieser A
Read more

Android Play Services Check

Image
up vote 0 down vote favorite Im facing a problem currently im making my app to run on t.v its working fine on mobiles. but the issue is if i run my app on t.v emulator splash screen appears then the app crashes log shows this error. No acceptable module found. Local version is 0 and remote version is 0 i googled this error and came with a solution that my emulator should have latest google play services installed in it.. but in my t.v emulator there is no play store so i cant update my play services to latest version. so is there any way to make a check that if play services version is less then this so run the app instead of crashing, and if the play services version is latest also run the aap... here is my code where im getting the play services version.. int playServicesAvailable = GoogleApiAvailability.g
Read more